Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report C6RET8T1Wi.exe

Overview

General Information

Sample Name:C6RET8T1Wi.exe
Analysis ID:383833
MD5:133b4a863e9a9c74b7320f54abf199d7
SHA1:d4db04a031b65254b4194bb2f1ca81a487a7fe50
SHA256:db6863fdde8111c668522696e503145c0f988ad14c248fbba9ecd4a23de83613
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • C6RET8T1Wi.exe (PID: 6460 cmdline: 'C:\Users\user\Desktop\C6RET8T1Wi.exe' MD5: 133B4A863E9A9C74B7320F54ABF199D7)
    • schtasks.exe (PID: 6860 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ePVIisXwKSPaua' /XML 'C:\Users\user\AppData\Local\Temp\tmp8430.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • C6RET8T1Wi.exe (PID: 6968 cmdline: C:\Users\user\Desktop\C6RET8T1Wi.exe MD5: 133B4A863E9A9C74B7320F54ABF199D7)
    • C6RET8T1Wi.exe (PID: 7028 cmdline: C:\Users\user\Desktop\C6RET8T1Wi.exe MD5: 133B4A863E9A9C74B7320F54ABF199D7)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "armyscheme3@yandex.combrowse9jasmtp.yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.532839988.00000000031B1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000D.00000002.532839988.00000000031B1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000D.00000002.528245994.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000002.294530199.0000000003F46000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000001.00000002.291906336.0000000002DFC000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            13.2.C6RET8T1Wi.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.2.C6RET8T1Wi.exe.3fe82e0.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                1.2.C6RET8T1Wi.exe.3fe82e0.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: Scheduled temp file as task from temp locationShow sources
                  Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ePVIisXwKSPaua' /XML 'C:\Users\user\AppData\Local\Temp\tmp8430.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ePVIisXwKSPaua' /XML 'C:\Users\user\AppData\Local\Temp\tmp8430.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\C6RET8T1Wi.exe' , ParentImage: C:\Users\user\Desktop\C6RET8T1Wi.exe, ParentProcessId: 6460, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ePVIisXwKSPaua' /XML 'C:\Users\user\AppData\Local\Temp\tmp8430.tmp', ProcessId: 6860

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 13.2.C6RET8T1Wi.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "armyscheme3@yandex.combrowse9jasmtp.yandex.com"}
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\ePVIisXwKSPaua.exeReversingLabs: Detection: 37%
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: C6RET8T1Wi.exeVirustotal: Detection: 41%Perma Link
                  Source: C6RET8T1Wi.exeReversingLabs: Detection: 37%
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\ePVIisXwKSPaua.exeJoe Sandbox ML: detected
                  Machine Learning detection for sampleShow sources
                  Source: C6RET8T1Wi.exeJoe Sandbox ML: detected
                  Source: 13.2.C6RET8T1Wi.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: C6RET8T1Wi.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: C6RET8T1Wi.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_04E29838
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_04E298EC
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_04E29827
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_04E2A9E9
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_04E2A9F8
                  Source: global trafficTCP traffic: 192.168.2.5:49724 -> 77.88.21.158:587
                  Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
                  Source: global trafficTCP traffic: 192.168.2.5:49724 -> 77.88.21.158:587
                  Source: unknownDNS traffic detected: queries for: smtp.yandex.com
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.532839988.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.532839988.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.532839988.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://NmvONo.com
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.532839988.00000000031B1000.00000004.00000001.sdmp, C6RET8T1Wi.exe, 0000000D.00000002.535134278.000000000354E000.00000004.00000001.sdmpString found in binary or memory: http://O4Irimjy3mfmBZ0.com
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmp, C6RET8T1Wi.exe, 00000001.00000003.265303167.0000000005ECB000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291795607.0000000002DB1000.00000004.00000001.sdmp, C6RET8T1Wi.exe, 00000001.00000002.291953862.0000000002E13000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291953862.0000000002E13000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.534943909.0000000003520000.00000004.00000001.sdmpString found in binary or memory: http://smtp.yandex.com
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmp, C6RET8T1Wi.exe, 00000001.00000003.271921494.0000000005EBD000.00000004.00000001.sdmp, C6RET8T1Wi.exe, 00000001.00000003.271468846.0000000005EB9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: C6RET8T1Wi.exe, 00000001.00000003.271921494.0000000005EBD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersuJ
                  Source: C6RET8T1Wi.exe, 00000001.00000002.298526461.0000000005EB0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comj
                  Source: C6RET8T1Wi.exe, 00000001.00000002.298526461.0000000005EB0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comrz
                  Source: C6RET8T1Wi.exe, 00000001.00000002.298526461.0000000005EB0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comt)
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: C6RET8T1Wi.exe, 00000001.00000003.265008386.0000000005ECB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comX
                  Source: C6RET8T1Wi.exe, 00000001.00000003.265008386.0000000005ECB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comx
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmp, C6RET8T1Wi.exe, 00000001.00000003.266823416.0000000005EB4000.00000004.00000001.sdmp, C6RET8T1Wi.exe, 00000001.00000003.266803258.0000000005EED000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: C6RET8T1Wi.exe, 00000001.00000003.267169299.0000000005EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cr
                  Source: C6RET8T1Wi.exe, 00000001.00000003.266823416.0000000005EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnGK1
                  Source: C6RET8T1Wi.exe, 00000001.00000003.266823416.0000000005EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnNK&
                  Source: C6RET8T1Wi.exe, 00000001.00000003.266803258.0000000005EED000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnP
                  Source: C6RET8T1Wi.exe, 00000001.00000003.266803258.0000000005EED000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnb-n
                  Source: C6RET8T1Wi.exe, 00000001.00000003.266803258.0000000005EED000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cns
                  Source: C6RET8T1Wi.exe, 00000001.00000003.266823416.0000000005EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: C6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/)
                  Source: C6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/0
                  Source: C6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/?
                  Source: C6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/F
                  Source: C6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/M
                  Source: C6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Verdx
                  Source: C6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0rsT
                  Source: C6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/alny
                  Source: C6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ico
                  Source: C6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                  Source: C6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/k
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: C6RET8T1Wi.exe, 00000001.00000003.264798854.0000000005ECB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comS
                  Source: C6RET8T1Wi.exe, 00000001.00000003.264798854.0000000005ECB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comsed~
                  Source: C6RET8T1Wi.exe, 00000001.00000003.264798854.0000000005ECB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comw
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: C6RET8T1Wi.exe, 00000001.00000003.266153350.0000000005EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krC
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: C6RET8T1Wi.exe, 00000001.00000003.265303167.0000000005ECB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.como
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.532839988.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.532839988.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291906336.0000000002DFC000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0
                  Source: C6RET8T1Wi.exe, 00000001.00000002.294530199.0000000003F46000.00000004.00000001.sdmp, C6RET8T1Wi.exe, 0000000D.00000002.528245994.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.532839988.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                  System Summary:

                  barindex
                  .NET source code contains very large array initializationsShow sources
                  Source: 13.2.C6RET8T1Wi.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b9BB50ABBu002d997Bu002d49D4u002d96BAu002dB4F190B3376Fu007d/u0036183AC38u002d4AD0u002d4B11u002d886Du002d06E3B37F3CC0.csLarge array initialization: .cctor: array initializer size 11951
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_014FD4F01_2_014FD4F0
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_014F99D81_2_014F99D8
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_014FDB211_2_014FDB21
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_014F7FC11_2_014F7FC1
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E277F61_2_04E277F6
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E268C81_2_04E268C8
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E208901_2_04E20890
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E2A0381_2_04E2A038
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E220191_2_04E22019
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E262B01_2_04E262B0
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E25BD01_2_04E25BD0
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E21B181_2_04E21B18
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E20CF91_2_04E20CF9
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E235F01_2_04E235F0
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E235DB1_2_04E235DB
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E20D081_2_04E20D08
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E276901_2_04E27690
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E22F801_2_04E22F80
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E22F731_2_04E22F73
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E278E61_2_04E278E6
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E278D71_2_04E278D7
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E268B81_2_04E268B8
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E278891_2_04E27889
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E208481_2_04E20848
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E230221_2_04E23022
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E2790D1_2_04E2790D
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E272F31_2_04E272F3
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E262A01_2_04E262A0
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E25BC31_2_04E25BC3
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E20BD11_2_04E20BD1
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_054844BC1_2_054844BC
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_0163616813_2_01636168
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_0163B57013_2_0163B570
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_0163A1D013_2_0163A1D0
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_01633DA013_2_01633DA0
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_0163282013_2_01632820
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_0163860813_2_01638608
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_01635D9813_2_01635D98
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_016B516813_2_016B5168
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_016B5D4813_2_016B5D48
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_016B19A813_2_016B19A8
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_016B945013_2_016B9450
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_016B90CF13_2_016B90CF
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_016BCA1013_2_016BCA10
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_016B7AE813_2_016B7AE8
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_016B5D3413_2_016B5D34
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_016B29F013_2_016B29F0
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_016BF0B813_2_016BF0B8
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_016BB3E013_2_016BB3E0
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_030546A013_2_030546A0
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_0305469013_2_03054690
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_0305DA0013_2_0305DA00
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_00CB6B6713_2_00CB6B67
                  Source: C6RET8T1Wi.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: ePVIisXwKSPaua.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291795607.0000000002DB1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs C6RET8T1Wi.exe
                  Source: C6RET8T1Wi.exe, 00000001.00000002.293757491.0000000003DBC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs C6RET8T1Wi.exe
                  Source: C6RET8T1Wi.exe, 00000001.00000002.294530199.0000000003F46000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameZLGbMGFFseWUKMCXRuKzK.exe4 vs C6RET8T1Wi.exe
                  Source: C6RET8T1Wi.exe, 00000001.00000002.289947497.00000000009E6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTypeUnion.exe< vs C6RET8T1Wi.exe
                  Source: C6RET8T1Wi.exe, 00000001.00000002.301815062.000000000DA80000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs C6RET8T1Wi.exe
                  Source: C6RET8T1Wi.exe, 00000001.00000002.302225029.000000000DB70000.00000002.00000001.sdmpBinary or memory string: originalfilename vs C6RET8T1Wi.exe
                  Source: C6RET8T1Wi.exe, 00000001.00000002.302225029.000000000DB70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs C6RET8T1Wi.exe
                  Source: C6RET8T1Wi.exe, 0000000A.00000002.287952335.0000000000436000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTypeUnion.exe< vs C6RET8T1Wi.exe
                  Source: C6RET8T1Wi.exe, 0000000D.00000000.288793485.0000000000D96000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTypeUnion.exe< vs C6RET8T1Wi.exe
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.528245994.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameZLGbMGFFseWUKMCXRuKzK.exe4 vs C6RET8T1Wi.exe
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.530112128.0000000001138000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs C6RET8T1Wi.exe
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.531412296.000000000140A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs C6RET8T1Wi.exe
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.530292093.00000000011D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs C6RET8T1Wi.exe
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.531708358.0000000001640000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs C6RET8T1Wi.exe
                  Source: C6RET8T1Wi.exeBinary or memory string: OriginalFilenameTypeUnion.exe< vs C6RET8T1Wi.exe
                  Source: C6RET8T1Wi.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: C6RET8T1Wi.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: ePVIisXwKSPaua.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: 13.2.C6RET8T1Wi.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 13.2.C6RET8T1Wi.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/4@2/1
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeFile created: C:\Users\user\AppData\Roaming\ePVIisXwKSPaua.exeJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6888:120:WilError_01
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8430.tmpJump to behavior
                  Source: C6RET8T1Wi.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291906336.0000000002DFC000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291906336.0000000002DFC000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291906336.0000000002DFC000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291906336.0000000002DFC000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291906336.0000000002DFC000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291906336.0000000002DFC000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291906336.0000000002DFC000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: C6RET8T1Wi.exeVirustotal: Detection: 41%
                  Source: C6RET8T1Wi.exeReversingLabs: Detection: 37%
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeFile read: C:\Users\user\Desktop\C6RET8T1Wi.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\C6RET8T1Wi.exe 'C:\Users\user\Desktop\C6RET8T1Wi.exe'
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ePVIisXwKSPaua' /XML 'C:\Users\user\AppData\Local\Temp\tmp8430.tmp'
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess created: C:\Users\user\Desktop\C6RET8T1Wi.exe C:\Users\user\Desktop\C6RET8T1Wi.exe
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess created: C:\Users\user\Desktop\C6RET8T1Wi.exe C:\Users\user\Desktop\C6RET8T1Wi.exe
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ePVIisXwKSPaua' /XML 'C:\Users\user\AppData\Local\Temp\tmp8430.tmp'Jump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess created: C:\Users\user\Desktop\C6RET8T1Wi.exe C:\Users\user\Desktop\C6RET8T1Wi.exeJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess created: C:\Users\user\Desktop\C6RET8T1Wi.exe C:\Users\user\Desktop\C6RET8T1Wi.exeJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C6RET8T1Wi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: C6RET8T1Wi.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_00905955 push es; ret 1_2_00905965
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E2394C push cs; ret 1_2_04E23950
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E23953 push cs; ret 1_2_04E23957
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_0548AE90 push ecx; ret 1_2_0548AEA5
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 10_2_00355955 push es; ret 10_2_00355965
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_00CB5955 push es; ret 13_2_00CB5965
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_0163B4B0 pushad ; iretd 13_2_0163B561
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_016B0312 push 8BFFFFFFh; retf 13_2_016B0318
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_0305CD51 push esp; iretd 13_2_0305CD5D
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.77629150782
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.77629150782
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeFile created: C:\Users\user\AppData\Roaming\ePVIisXwKSPaua.exeJump to dropped file

                  Boot Survival:

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ePVIisXwKSPaua' /XML 'C:\Users\user\AppData\Local\Temp\tmp8430.tmp'
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion:

                  barindex
                  Yara detected AntiVM3Show sources
                  Source: Yara matchFile source: 00000001.00000002.291906336.0000000002DFC000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: C6RET8T1Wi.exe PID: 6460, type: MEMORY
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291906336.0000000002DFC000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291906336.0000000002DFC000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_016B5911 rdtsc 13_2_016B5911
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeWindow / User API: threadDelayed 9291Jump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeWindow / User API: threadDelayed 562Jump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exe TID: 6464Thread sleep time: -102839s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exe TID: 6488Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exe TID: 5916Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exe TID: 5912Thread sleep count: 9291 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exe TID: 5912Thread sleep count: 562 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeThread delayed: delay time: 102839Jump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291906336.0000000002DFC000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291906336.0000000002DFC000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291906336.0000000002DFC000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291906336.0000000002DFC000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291906336.0000000002DFC000.00000004.00000001.sdmpBinary or memory string: VMWARE
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291906336.0000000002DFC000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291906336.0000000002DFC000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291906336.0000000002DFC000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291906336.0000000002DFC000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.531533408.0000000001470000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_016B5911 rdtsc 13_2_016B5911
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_016339D0 LdrInitializeThunk,13_2_016339D0
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Injects a PE file into a foreign processesShow sources
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeMemory written: C:\Users\user\Desktop\C6RET8T1Wi.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ePVIisXwKSPaua' /XML 'C:\Users\user\AppData\Local\Temp\tmp8430.tmp'Jump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess created: C:\Users\user\Desktop\C6RET8T1Wi.exe C:\Users\user\Desktop\C6RET8T1Wi.exeJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess created: C:\Users\user\Desktop\C6RET8T1Wi.exe C:\Users\user\Desktop\C6RET8T1Wi.exeJump to behavior
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.532020269.0000000001BC0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.532020269.0000000001BC0000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.532020269.0000000001BC0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.532020269.0000000001BC0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.532020269.0000000001BC0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Users\user\Desktop\C6RET8T1Wi.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Users\user\Desktop\C6RET8T1Wi.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 0000000D.00000002.532839988.00000000031B1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.528245994.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.294530199.0000000003F46000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: C6RET8T1Wi.exe PID: 7028, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: C6RET8T1Wi.exe PID: 6460, type: MEMORY
                  Source: Yara matchFile source: 13.2.C6RET8T1Wi.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.C6RET8T1Wi.exe.3fe82e0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.C6RET8T1Wi.exe.3fe82e0.4.unpack, type: UNPACKEDPE
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Tries to harvest and steal ftp login credentialsShow sources
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                  Tries to steal Mail credentials (via file access)Show sources
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 0000000D.00000002.532839988.00000000031B1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: C6RET8T1Wi.exe PID: 7028, type: MEMORY

                  Remote Access Functionality:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 0000000D.00000002.532839988.00000000031B1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.528245994.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.294530199.0000000003F46000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: C6RET8T1Wi.exe PID: 7028, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: C6RET8T1Wi.exe PID: 6460, type: MEMORY
                  Source: Yara matchFile source: 13.2.C6RET8T1Wi.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.C6RET8T1Wi.exe.3fe82e0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.C6RET8T1Wi.exe.3fe82e0.4.unpack, type: UNPACKEDPE

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection112Disable or Modify Tools1OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Deobfuscate/Decode Files or Information1Credentials in Registry1System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information3Security Account ManagerQuery Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing3NTDSSecurity Software Discovery331Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion141Cached Domain CredentialsVirtualization/Sandbox Evasion141VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 383833 Sample: C6RET8T1Wi.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 33 Found malware configuration 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 Sigma detected: Scheduled temp file as task from temp location 2->37 39 7 other signatures 2->39 7 C6RET8T1Wi.exe 7 2->7         started        process3 file4 21 C:\Users\user\AppData\...\ePVIisXwKSPaua.exe, PE32 7->21 dropped 23 C:\...\ePVIisXwKSPaua.exe:Zone.Identifier, ASCII 7->23 dropped 25 C:\Users\user\AppData\Local\...\tmp8430.tmp, XML 7->25 dropped 27 C:\Users\user\AppData\...\C6RET8T1Wi.exe.log, ASCII 7->27 dropped 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->41 43 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->43 45 Uses schtasks.exe or at.exe to add and modify task schedules 7->45 47 Injects a PE file into a foreign processes 7->47 11 C6RET8T1Wi.exe 2 7->11         started        15 schtasks.exe 1 7->15         started        17 C6RET8T1Wi.exe 7->17         started        signatures5 process6 dnsIp7 29 smtp.yandex.ru 77.88.21.158, 49724, 587 YANDEXRU Russian Federation 11->29 31 smtp.yandex.com 11->31 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->49 51 Tries to steal Mail credentials (via file access) 11->51 53 Tries to harvest and steal ftp login credentials 11->53 55 Tries to harvest and steal browser information (history, passwords, etc) 11->55 19 conhost.exe 15->19         started        signatures8 process9

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  C6RET8T1Wi.exe41%VirustotalBrowse
                  C6RET8T1Wi.exe38%ReversingLabsWin32.Trojan.Wacatac
                  C6RET8T1Wi.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\ePVIisXwKSPaua.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\ePVIisXwKSPaua.exe38%ReversingLabsWin32.Trojan.Wacatac

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  13.2.C6RET8T1Wi.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.jiyu-kobo.co.jp/Verdx0%Avira URL Cloudsafe
                  http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                  http://www.founder.com.cn/cnP0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cr0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/Y0rsT0%Avira URL Cloudsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.fontbureau.comrz0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/alny0%Avira URL Cloudsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://subca.ocsp-certum.com0.0%URL Reputationsafe
                  http://subca.ocsp-certum.com0.0%URL Reputationsafe
                  http://subca.ocsp-certum.com0.0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.founder.com.cn/cnb-n0%Avira URL Cloudsafe
                  http://O4Irimjy3mfmBZ0.com0%Avira URL Cloudsafe
                  http://www.sajatypeworks.comS0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/00%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/00%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/00%URL Reputationsafe
                  http://www.fontbureau.comt)0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cns0%Avira URL Cloudsafe
                  http://subca.ocsp-certum.com010%URL Reputationsafe
                  http://subca.ocsp-certum.com010%URL Reputationsafe
                  http://subca.ocsp-certum.com010%URL Reputationsafe
                  http://www.founder.com.cn/cnt0%URL Reputationsafe
                  http://www.founder.com.cn/cnt0%URL Reputationsafe
                  http://www.founder.com.cn/cnt0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/)0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/)0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/)0%URL Reputationsafe
                  https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                  https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                  https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sandoll.co.krC0%Avira URL Cloudsafe
                  http://www.fonts.comx0%Avira URL Cloudsafe
                  https://api.ipify.org%0%URL Reputationsafe
                  https://api.ipify.org%0%URL Reputationsafe
                  https://api.ipify.org%0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  http://www.founder.com.cn/cnGK10%Avira URL Cloudsafe
                  http://NmvONo.com0%Avira URL Cloudsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  http://www.sajatypeworks.comw0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/M0%Avira URL Cloudsafe
                  http://www.tiro.como0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/F0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/F0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/F0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/?0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/?0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/?0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  smtp.yandex.ru
                  		77.88.21.158
                  		truefalse
                    		high
                    smtp.yandex.com
                    		unknown
                    		unknownfalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.jiyu-kobo.co.jp/VerdxC6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://127.0.0.1:HTTP/1.1C6RET8T1Wi.exe, 0000000D.00000002.532839988.00000000031B1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.fontbureau.com/designersGC6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpfalse
                        		high
                        http://www.founder.com.cn/cnPC6RET8T1Wi.exe, 00000001.00000003.266803258.0000000005EED000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designers/?C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bTheC6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers?C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/crC6RET8T1Wi.exe, 00000001.00000003.267169299.0000000005EB4000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://yandex.crl.certum.pl/ycasha2.crl0qC6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpfalse
                              		high
                              http://www.jiyu-kobo.co.jp/Y0rsTC6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4C6RET8T1Wi.exe, 00000001.00000002.291953862.0000000002E13000.00000004.00000001.sdmpfalse
                                		high
                                http://www.tiro.comC6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersC6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmp, C6RET8T1Wi.exe, 00000001.00000003.271921494.0000000005EBD000.00000004.00000001.sdmp, C6RET8T1Wi.exe, 00000001.00000003.271468846.0000000005EB9000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.goodfont.co.krC6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designersuJC6RET8T1Wi.exe, 00000001.00000003.271921494.0000000005EBD000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.fontbureau.comrzC6RET8T1Wi.exe, 00000001.00000002.298526461.0000000005EB0000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssC6RET8T1Wi.exe, 00000001.00000002.291906336.0000000002DFC000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.jiyu-kobo.co.jp/alnyC6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.sajatypeworks.comC6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://subca.ocsp-certum.com0.C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.typography.netDC6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://repository.certum.pl/ca.cer09C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cn/cTheC6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/staff/dennis.htmC6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://fontfabrik.comC6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmp, C6RET8T1Wi.exe, 00000001.00000003.265303167.0000000005ECB000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.founder.com.cn/cnb-nC6RET8T1Wi.exe, 00000001.00000003.266803258.0000000005EED000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://O4Irimjy3mfmBZ0.comC6RET8T1Wi.exe, 0000000D.00000002.532839988.00000000031B1000.00000004.00000001.sdmp, C6RET8T1Wi.exe, 0000000D.00000002.535134278.000000000354E000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.sajatypeworks.comSC6RET8T1Wi.exe, 00000001.00000003.264798854.0000000005ECB000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/0C6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.comt)C6RET8T1Wi.exe, 00000001.00000002.298526461.0000000005EB0000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		low
                                        http://www.founder.com.cn/cnsC6RET8T1Wi.exe, 00000001.00000003.266803258.0000000005EED000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://subca.ocsp-certum.com01C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.founder.com.cn/cntC6RET8T1Wi.exe, 00000001.00000003.266823416.0000000005EB4000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/DPleaseC6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/)C6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://api.ipify.org%GETMozilla/5.0C6RET8T1Wi.exe, 0000000D.00000002.532839988.00000000031B1000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		low
                                        http://www.fonts.comC6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krC6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.urwpp.deDPleaseC6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnC6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameC6RET8T1Wi.exe, 00000001.00000002.291795607.0000000002DB1000.00000004.00000001.sdmp, C6RET8T1Wi.exe, 00000001.00000002.291953862.0000000002E13000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.sakkal.comC6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.sandoll.co.krCC6RET8T1Wi.exe, 00000001.00000003.266153350.0000000005EB6000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.fonts.comxC6RET8T1Wi.exe, 00000001.00000003.265008386.0000000005ECB000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://api.ipify.org%C6RET8T1Wi.exe, 0000000D.00000002.532839988.00000000031B1000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		low
                                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipC6RET8T1Wi.exe, 00000001.00000002.294530199.0000000003F46000.00000004.00000001.sdmp, C6RET8T1Wi.exe, 0000000D.00000002.528245994.0000000000402000.00000040.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.certum.pl/CPS0C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.founder.com.cn/cnGK1C6RET8T1Wi.exe, 00000001.00000003.266823416.0000000005EB4000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://NmvONo.comC6RET8T1Wi.exe, 0000000D.00000002.532839988.00000000031B1000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://repository.certum.pl/ycasha2.cer0C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.apache.org/licenses/LICENSE-2.0C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.comC6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://DynDns.comDynDNSC6RET8T1Wi.exe, 0000000D.00000002.532839988.00000000031B1000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://repository.certum.pl/ctnca.cer09C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haC6RET8T1Wi.exe, 0000000D.00000002.532839988.00000000031B1000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://crl.certum.pl/ctnca.crl0kC6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.sajatypeworks.comwC6RET8T1Wi.exe, 00000001.00000003.264798854.0000000005ECB000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.jiyu-kobo.co.jp/MC6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.tiro.comoC6RET8T1Wi.exe, 00000001.00000003.265303167.0000000005ECB000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.jiyu-kobo.co.jp/FC6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://www.certum.pl/CPS0C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.jiyu-kobo.co.jp/jp/C6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fonts.comXC6RET8T1Wi.exe, 00000001.00000003.265008386.0000000005ECB000.00000004.00000001.sdmpfalse
                                                            		unknown
                                                            http://www.jiyu-kobo.co.jp/?C6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://smtp.yandex.comC6RET8T1Wi.exe, 0000000D.00000002.534943909.0000000003520000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.carterandcone.comlC6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://yandex.ocsp-responder.com03C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.comjC6RET8T1Wi.exe, 00000001.00000002.298526461.0000000005EB0000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.founder.com.cn/cnNK&C6RET8T1Wi.exe, 00000001.00000003.266823416.0000000005EB4000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/cabarga.htmlNC6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://www.founder.com.cn/cnC6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmp, C6RET8T1Wi.exe, 00000001.00000003.266823416.0000000005EB4000.00000004.00000001.sdmp, C6RET8T1Wi.exe, 00000001.00000003.266803258.0000000005EED000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers/frere-jones.htmlC6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://crls.yandex.net/certum/ycasha2.crl0-C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.jiyu-kobo.co.jp/icoC6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.jiyu-kobo.co.jp/C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.jiyu-kobo.co.jp/kC6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.fontbureau.com/designers8C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://crl.certum.pl/ca.crl0hC6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.sajatypeworks.comsed~C6RET8T1Wi.exe, 00000001.00000003.264798854.0000000005ECB000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		low

                                                                        Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        77.88.21.158
                                                                        		smtp.yandex.ruRussian Federation
                                                                        		13238YANDEXRUfalse

                                                                        General Information

                                                                        Joe Sandbox Version:31.0.0 Emerald
                                                                        Analysis ID:383833
                                                                        Start date:08.04.2021
                                                                        Start time:10:46:53
                                                                        Joe Sandbox Product:CloudBasic
                                                                        Overall analysis duration:0h 10m 56s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:full
                                                                        Sample file name:C6RET8T1Wi.exe
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                        Number of analysed new started processes analysed:25
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:0
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • HDC enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Detection:MAL
                                                                        Classification:mal100.troj.spyw.evad.winEXE@8/4@2/1
                                                                        EGA Information:Failed
                                                                        HDC Information:Failed
                                                                        HCA Information:
                                                                        • Successful, ratio: 100%
                                                                        • Number of executed functions: 80
                                                                        • Number of non-executed functions: 13
                                                                        Cookbook Comments:
                                                                        • Adjust boot time
                                                                        • Enable AMSI
                                                                        • Found application associated with file extension: .exe
                                                                        Warnings:
                                                                        Show All
                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                        • Excluded IPs from analysis (whitelisted): 93.184.220.29, 204.79.197.200, 13.107.21.200, 20.50.102.62, 104.43.139.144, 52.255.188.83, 23.54.113.53, 104.42.151.234, 52.147.198.201, 95.100.54.203, 20.82.210.154, 23.10.249.26, 23.10.249.43, 20.54.26.129
                                                                        • Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net
                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        10:48:13API Interceptor706x Sleep call for process: C6RET8T1Wi.exe modified

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        77.88.21.158RFQ# ZAT77095_pdf.exeGet hashmaliciousBrowse
                                                                          AL JUNEIDI LIST.xlsxGet hashmaliciousBrowse
                                                                            SWIFT.exeGet hashmaliciousBrowse
                                                                              Payment _Advice (2).exeGet hashmaliciousBrowse
                                                                                cricket.exeGet hashmaliciousBrowse
                                                                                  SG1_000000123205044_1.pdf.gz.exeGet hashmaliciousBrowse
                                                                                    Ordine d'acquisto 240517_04062021.exeGet hashmaliciousBrowse
                                                                                      Order 01042021-V728394-H16.pdf.exeGet hashmaliciousBrowse
                                                                                        RFQ#EX50GO_pdf.exeGet hashmaliciousBrowse
                                                                                          TRANSACTION_INTTRANSFER_1617266945242 MEDICON_PDF.exeGet hashmaliciousBrowse
                                                                                            Shandong CIRS Form.exeGet hashmaliciousBrowse
                                                                                              DHL_DELIVERY_CONFIRMATION_CBJ002042021068506.exeGet hashmaliciousBrowse
                                                                                                REQUEST QUOTATION BID..pdf.exeGet hashmaliciousBrowse
                                                                                                  RFQ#ZAEL67012_doc.exeGet hashmaliciousBrowse
                                                                                                    Q99Eljz7IT.exeGet hashmaliciousBrowse
                                                                                                      SecuriteInfo.com.Trojan.PackedNET.576.12750.exeGet hashmaliciousBrowse
                                                                                                        Swift Copy Against due Invoice.PDF.exeGet hashmaliciousBrowse
                                                                                                          PO#ZA3MMA_pdf.exeGet hashmaliciousBrowse
                                                                                                            kfMrlKSN4F.exeGet hashmaliciousBrowse
                                                                                                              xjvIB3Wkvk.exeGet hashmaliciousBrowse

                                                                                                                Domains

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                smtp.yandex.ruRFQ# ZAT77095_pdf.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                AL JUNEIDI LIST.xlsxGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                SWIFT.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                Payment _Advice (2).exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                cricket.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                SG1_000000123205044_1.pdf.gz.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                Ordine d'acquisto 240517_04062021.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                Order 01042021-V728394-H16.pdf.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                RFQ#EX50GO_pdf.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                TRANSACTION_INTTRANSFER_1617266945242 MEDICON_PDF.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                Shandong CIRS Form.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                DHL_DELIVERY_CONFIRMATION_CBJ002042021068506.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                REQUEST QUOTATION BID..pdf.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                RFQ#ZAEL67012_doc.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                Q99Eljz7IT.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                SecuriteInfo.com.Trojan.PackedNET.576.12750.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                Swift Copy Against due Invoice.PDF.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                PO#ZA3MMA_pdf.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                kfMrlKSN4F.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                xjvIB3Wkvk.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158

                                                                                                                ASN

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                YANDEXRURFQ# ZAT77095_pdf.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                AL JUNEIDI LIST.xlsxGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                SWIFT.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                Payment _Advice (2).exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                cricket.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                SG1_000000123205044_1.pdf.gz.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                Ordine d'acquisto 240517_04062021.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                _VmailMessage_Wave19922626.htmlGet hashmaliciousBrowse
                                                                                                                • 77.88.21.179
                                                                                                                Order 01042021-V728394-H16.pdf.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                RFQ#EX50GO_pdf.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                TRANSACTION_INTTRANSFER_1617266945242 MEDICON_PDF.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                Shandong CIRS Form.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                DHL_DELIVERY_CONFIRMATION_CBJ002042021068506.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                REQUEST QUOTATION BID..pdf.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                RFQ#ZAEL67012_doc.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                Q99Eljz7IT.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                SecuriteInfo.com.Trojan.PackedNET.576.12750.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                Swift Copy Against due Invoice.PDF.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158
                                                                                                                scan-100218.docmGet hashmaliciousBrowse
                                                                                                                • 93.158.134.119
                                                                                                                PO#ZA3MMA_pdf.exeGet hashmaliciousBrowse
                                                                                                                • 77.88.21.158

                                                                                                                JA3 Fingerprints

                                                                                                                No context

                                                                                                                Dropped Files

                                                                                                                No context

                                                                                                                Created / dropped Files

                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\C6RET8T1Wi.exe.log
                                                                                                                Process:C:\Users\user\Desktop\C6RET8T1Wi.exe
                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                Category:modified
                                                                                                                Size (bytes):1314
                                                                                                                Entropy (8bit):5.350128552078965
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                                                                MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                                                                SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                                                                SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                                                                SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                                                                Malicious:true
                                                                                                                Reputation:high, very likely benign file
                                                                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                                                                C:\Users\user\AppData\Local\Temp\tmp8430.tmp
                                                                                                                Process:C:\Users\user\Desktop\C6RET8T1Wi.exe
                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1651
                                                                                                                Entropy (8bit):5.172916200556988
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBi0tn:cbhC7ZlNQF/rydbz9I3YODOLNdq3L
                                                                                                                MD5:0DA72E8020ACC34E9DF0550E2446BF92
                                                                                                                SHA1:33C2C9C78819261F163B778AADC7E7FA0E289C20
                                                                                                                SHA-256:E7D5394DC8C71CE85A1CB3DA70F23E1D016CD5E51136A17D41E9177F04FDA18C
                                                                                                                SHA-512:AD60907A0468FFEB0950A60A247F61E46ECB9DBFE9B24365966867DDA7A9B6A4DEEE2E007210CF9BCF26A443EBBF04E4B0B3F428791C469B4D0329D503E0E14B
                                                                                                                Malicious:true
                                                                                                                Reputation:low
                                                                                                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t
                                                                                                                C:\Users\user\AppData\Roaming\ePVIisXwKSPaua.exe
                                                                                                                Process:C:\Users\user\Desktop\C6RET8T1Wi.exe
                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1031168
                                                                                                                Entropy (8bit):7.5599836445937
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24576:N1TbhttyDnl8+3Jsesv+1yrA/Jp/jO9BvLe:NTttonlvsGX//bOvL
                                                                                                                MD5:133B4A863E9A9C74B7320F54ABF199D7
                                                                                                                SHA1:D4DB04A031B65254B4194BB2F1CA81A487A7FE50
                                                                                                                SHA-256:DB6863FDDE8111C668522696E503145C0F988AD14C248FBBA9ECD4A23DE83613
                                                                                                                SHA-512:C24F5DC2C8D27D7DA9A8D4B91201E33A4748B67368605ABE016256DE73066E9E99E9FD9012444A1548320ECB0C60CF9494635B0071F656EB4632177AEADC2C57
                                                                                                                Malicious:true
                                                                                                                Antivirus:
                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                • Antivirus: ReversingLabs, Detection: 38%
                                                                                                                Reputation:low
                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;m`..............P..8..........^W... ...`....@.. ....................................@..................................W..O....`............................................................................... ............... ..H............text...d7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc..............................@..B................@W......H.......|<...O..........\................................................0............(....(..........(.....o.....*.....................( ......(!......("......(#......($....*N..(....o....(%....*&..(&....*.s'........s(........s)........s*........s+........*....0...........~....o,....+..*.0...........~....o-....+..*.0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*.0..<........~.....(1.....,!r...p.....(2...o3...s4............~.....+..*.0......
                                                                                                                C:\Users\user\AppData\Roaming\ePVIisXwKSPaua.exe:Zone.Identifier
                                                                                                                Process:C:\Users\user\Desktop\C6RET8T1Wi.exe
                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):26
                                                                                                                Entropy (8bit):3.95006375643621
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                Malicious:true
                                                                                                                Reputation:high, very likely benign file
                                                                                                                Preview: [ZoneTransfer]....ZoneId=0

                                                                                                                Static File Info

                                                                                                                General

                                                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                Entropy (8bit):7.5599836445937
                                                                                                                TrID:
                                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                                                                File name:C6RET8T1Wi.exe
                                                                                                                File size:1031168
                                                                                                                MD5:133b4a863e9a9c74b7320f54abf199d7
                                                                                                                SHA1:d4db04a031b65254b4194bb2f1ca81a487a7fe50
                                                                                                                SHA256:db6863fdde8111c668522696e503145c0f988ad14c248fbba9ecd4a23de83613
                                                                                                                SHA512:c24f5dc2c8d27d7da9a8d4b91201e33a4748b67368605abe016256de73066e9e99e9fd9012444a1548320ecb0c60cf9494635b0071f656eb4632177aeadc2c57
                                                                                                                SSDEEP:24576:N1TbhttyDnl8+3Jsesv+1yrA/Jp/jO9BvLe:NTttonlvsGX//bOvL
                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;m`..............P..8..........^W... ...`....@.. ....................................@................................

                                                                                                                File Icon

                                                                                                                Icon Hash:d28ab3b0e0ab96c4

                                                                                                                Static PE Info

                                                                                                                General

                                                                                                                Entrypoint:0x4d575e
                                                                                                                Entrypoint Section:.text
                                                                                                                Digitally signed:false
                                                                                                                Imagebase:0x400000
                                                                                                                Subsystem:windows gui
                                                                                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                Time Stamp:0x606D3B0F [Wed Apr 7 04:54:39 2021 UTC]
                                                                                                                TLS Callbacks:
                                                                                                                CLR (.Net) Version:v4.0.30319
                                                                                                                OS Version Major:4
                                                                                                                OS Version Minor:0
                                                                                                                File Version Major:4
                                                                                                                File Version Minor:0
                                                                                                                Subsystem Version Major:4
                                                                                                                Subsystem Version Minor:0
                                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                Entrypoint Preview

                                                                                                                Instruction
                                                                                                                jmp dword ptr [00402000h]
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al

                                                                                                                Data Directories

                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xd570c0x4f.text
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xd60000x28000.rsrc
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xfe0000xc.reloc
                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                Sections

                                                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                .text0x20000xd37640xd3800False0.852953466681data7.77629150782IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                .rsrc0xd60000x280000x28000False0.348266601562data5.33199734146IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                .reloc0xfe0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                Resources

                                                                                                                NameRVASizeTypeLanguageCountry
                                                                                                                RT_ICON0xd62800x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                                                                                RT_ICON0xe6aa80x94a8data
                                                                                                                RT_ICON0xeff500x5488data
                                                                                                                RT_ICON0xf53d80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
                                                                                                                RT_ICON0xf96000x25a8data
                                                                                                                RT_ICON0xfbba80x10a8data
                                                                                                                RT_ICON0xfcc500x988data
                                                                                                                RT_ICON0xfd5d80x468GLS_BINARY_LSB_FIRST
                                                                                                                RT_GROUP_ICON0xfda400x76data
                                                                                                                RT_VERSION0xfdab80x35cdata
                                                                                                                RT_MANIFEST0xfde140x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                                Imports

                                                                                                                DLLImport
                                                                                                                mscoree.dll_CorExeMain

                                                                                                                Version Infos

                                                                                                                DescriptionData
                                                                                                                Translation0x0000 0x04b0
                                                                                                                LegalCopyrightCopyright 2021
                                                                                                                Assembly Version7.0.0.1
                                                                                                                InternalNameTypeUnion.exe
                                                                                                                FileVersion7.0.0.1
                                                                                                                CompanyNameFileCodeGroup
                                                                                                                LegalTrademarks
                                                                                                                CommentsFileCodeGroup
                                                                                                                ProductNameMajor Project
                                                                                                                ProductVersion7.0.0.1
                                                                                                                FileDescriptionMajor Project
                                                                                                                OriginalFilenameTypeUnion.exe

                                                                                                                Network Behavior

                                                                                                                Network Port Distribution

                                                                                                                TCP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Apr 8, 2021 10:50:04.697968960 CEST49724587192.168.2.577.88.21.158
                                                                                                                Apr 8, 2021 10:50:04.757010937 CEST5874972477.88.21.158192.168.2.5
                                                                                                                Apr 8, 2021 10:50:04.757100105 CEST49724587192.168.2.577.88.21.158
                                                                                                                Apr 8, 2021 10:50:04.956531048 CEST5874972477.88.21.158192.168.2.5
                                                                                                                Apr 8, 2021 10:50:04.957103968 CEST49724587192.168.2.577.88.21.158
                                                                                                                Apr 8, 2021 10:50:05.016175985 CEST5874972477.88.21.158192.168.2.5
                                                                                                                Apr 8, 2021 10:50:05.016228914 CEST5874972477.88.21.158192.168.2.5
                                                                                                                Apr 8, 2021 10:50:05.016913891 CEST49724587192.168.2.577.88.21.158
                                                                                                                Apr 8, 2021 10:50:05.075756073 CEST5874972477.88.21.158192.168.2.5
                                                                                                                Apr 8, 2021 10:50:05.131339073 CEST49724587192.168.2.577.88.21.158
                                                                                                                Apr 8, 2021 10:50:05.189738035 CEST49724587192.168.2.577.88.21.158
                                                                                                                Apr 8, 2021 10:50:05.250076056 CEST5874972477.88.21.158192.168.2.5
                                                                                                                Apr 8, 2021 10:50:05.250133038 CEST5874972477.88.21.158192.168.2.5
                                                                                                                Apr 8, 2021 10:50:05.250169992 CEST5874972477.88.21.158192.168.2.5
                                                                                                                Apr 8, 2021 10:50:05.250202894 CEST5874972477.88.21.158192.168.2.5
                                                                                                                Apr 8, 2021 10:50:05.250351906 CEST49724587192.168.2.577.88.21.158
                                                                                                                Apr 8, 2021 10:50:05.250478029 CEST49724587192.168.2.577.88.21.158
                                                                                                                Apr 8, 2021 10:50:05.321717978 CEST49724587192.168.2.577.88.21.158
                                                                                                                Apr 8, 2021 10:50:05.381097078 CEST5874972477.88.21.158192.168.2.5
                                                                                                                Apr 8, 2021 10:50:05.429044008 CEST49724587192.168.2.577.88.21.158
                                                                                                                Apr 8, 2021 10:50:05.727226019 CEST49724587192.168.2.577.88.21.158
                                                                                                                Apr 8, 2021 10:50:05.786475897 CEST5874972477.88.21.158192.168.2.5
                                                                                                                Apr 8, 2021 10:50:05.788240910 CEST49724587192.168.2.577.88.21.158
                                                                                                                Apr 8, 2021 10:50:05.847610950 CEST5874972477.88.21.158192.168.2.5
                                                                                                                Apr 8, 2021 10:50:05.848956108 CEST49724587192.168.2.577.88.21.158
                                                                                                                Apr 8, 2021 10:50:05.919176102 CEST5874972477.88.21.158192.168.2.5
                                                                                                                Apr 8, 2021 10:50:05.923804998 CEST49724587192.168.2.577.88.21.158
                                                                                                                Apr 8, 2021 10:50:05.990900993 CEST5874972477.88.21.158192.168.2.5
                                                                                                                Apr 8, 2021 10:50:05.991934061 CEST49724587192.168.2.577.88.21.158
                                                                                                                Apr 8, 2021 10:50:06.057542086 CEST5874972477.88.21.158192.168.2.5
                                                                                                                Apr 8, 2021 10:50:06.058021069 CEST49724587192.168.2.577.88.21.158
                                                                                                                Apr 8, 2021 10:50:06.116939068 CEST5874972477.88.21.158192.168.2.5
                                                                                                                Apr 8, 2021 10:50:06.120604038 CEST49724587192.168.2.577.88.21.158
                                                                                                                Apr 8, 2021 10:50:06.120918989 CEST49724587192.168.2.577.88.21.158
                                                                                                                Apr 8, 2021 10:50:06.121618986 CEST49724587192.168.2.577.88.21.158
                                                                                                                Apr 8, 2021 10:50:06.121798038 CEST49724587192.168.2.577.88.21.158
                                                                                                                Apr 8, 2021 10:50:06.179809093 CEST5874972477.88.21.158192.168.2.5
                                                                                                                Apr 8, 2021 10:50:06.180265903 CEST5874972477.88.21.158192.168.2.5
                                                                                                                Apr 8, 2021 10:50:06.493727922 CEST5874972477.88.21.158192.168.2.5
                                                                                                                Apr 8, 2021 10:50:06.537614107 CEST49724587192.168.2.577.88.21.158

                                                                                                                UDP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Apr 8, 2021 10:47:45.395198107 CEST5270453192.168.2.58.8.8.8
                                                                                                                Apr 8, 2021 10:47:45.407685995 CEST53527048.8.8.8192.168.2.5
                                                                                                                Apr 8, 2021 10:47:45.516362906 CEST5221253192.168.2.58.8.8.8
                                                                                                                Apr 8, 2021 10:47:45.529778957 CEST53522128.8.8.8192.168.2.5
                                                                                                                Apr 8, 2021 10:47:45.551681995 CEST5430253192.168.2.58.8.8.8
                                                                                                                Apr 8, 2021 10:47:45.563613892 CEST53543028.8.8.8192.168.2.5
                                                                                                                Apr 8, 2021 10:47:45.584640026 CEST5378453192.168.2.58.8.8.8
                                                                                                                Apr 8, 2021 10:47:45.598089933 CEST53537848.8.8.8192.168.2.5
                                                                                                                Apr 8, 2021 10:47:45.763812065 CEST6530753192.168.2.58.8.8.8
                                                                                                                Apr 8, 2021 10:47:45.789467096 CEST53653078.8.8.8192.168.2.5
                                                                                                                Apr 8, 2021 10:47:46.132524967 CEST6434453192.168.2.58.8.8.8
                                                                                                                Apr 8, 2021 10:47:46.145257950 CEST53643448.8.8.8192.168.2.5
                                                                                                                Apr 8, 2021 10:47:47.134906054 CEST6206053192.168.2.58.8.8.8
                                                                                                                Apr 8, 2021 10:47:47.148159027 CEST53620608.8.8.8192.168.2.5
                                                                                                                Apr 8, 2021 10:47:52.575403929 CEST6180553192.168.2.58.8.8.8
                                                                                                                Apr 8, 2021 10:47:52.589293003 CEST53618058.8.8.8192.168.2.5
                                                                                                                Apr 8, 2021 10:48:02.747829914 CEST5479553192.168.2.58.8.8.8
                                                                                                                Apr 8, 2021 10:48:02.759968996 CEST53547958.8.8.8192.168.2.5
                                                                                                                Apr 8, 2021 10:48:04.927238941 CEST4955753192.168.2.58.8.8.8
                                                                                                                Apr 8, 2021 10:48:04.940278053 CEST53495578.8.8.8192.168.2.5
                                                                                                                Apr 8, 2021 10:48:06.155400038 CEST6173353192.168.2.58.8.8.8
                                                                                                                Apr 8, 2021 10:48:06.167747021 CEST53617338.8.8.8192.168.2.5
                                                                                                                Apr 8, 2021 10:48:07.196096897 CEST6544753192.168.2.58.8.8.8
                                                                                                                Apr 8, 2021 10:48:07.217538118 CEST53654478.8.8.8192.168.2.5
                                                                                                                Apr 8, 2021 10:48:08.452764988 CEST5244153192.168.2.58.8.8.8
                                                                                                                Apr 8, 2021 10:48:08.465712070 CEST53524418.8.8.8192.168.2.5
                                                                                                                Apr 8, 2021 10:48:19.151809931 CEST6217653192.168.2.58.8.8.8
                                                                                                                Apr 8, 2021 10:48:19.164824963 CEST53621768.8.8.8192.168.2.5
                                                                                                                Apr 8, 2021 10:48:20.287110090 CEST5959653192.168.2.58.8.8.8
                                                                                                                Apr 8, 2021 10:48:20.300358057 CEST53595968.8.8.8192.168.2.5
                                                                                                                Apr 8, 2021 10:48:22.635272026 CEST6529653192.168.2.58.8.8.8
                                                                                                                Apr 8, 2021 10:48:22.647893906 CEST53652968.8.8.8192.168.2.5
                                                                                                                Apr 8, 2021 10:48:23.028289080 CEST6318353192.168.2.58.8.8.8
                                                                                                                Apr 8, 2021 10:48:23.040791988 CEST53631838.8.8.8192.168.2.5
                                                                                                                Apr 8, 2021 10:48:29.042406082 CEST6015153192.168.2.58.8.8.8
                                                                                                                Apr 8, 2021 10:48:29.060874939 CEST53601518.8.8.8192.168.2.5
                                                                                                                Apr 8, 2021 10:48:30.959913969 CEST5696953192.168.2.58.8.8.8
                                                                                                                Apr 8, 2021 10:48:30.973500013 CEST53569698.8.8.8192.168.2.5
                                                                                                                Apr 8, 2021 10:48:43.710974932 CEST5516153192.168.2.58.8.8.8
                                                                                                                Apr 8, 2021 10:48:43.723860979 CEST53551618.8.8.8192.168.2.5
                                                                                                                Apr 8, 2021 10:49:04.555234909 CEST5475753192.168.2.58.8.8.8
                                                                                                                Apr 8, 2021 10:49:04.567758083 CEST53547578.8.8.8192.168.2.5
                                                                                                                Apr 8, 2021 10:49:07.309771061 CEST4999253192.168.2.58.8.8.8
                                                                                                                Apr 8, 2021 10:49:07.329549074 CEST53499928.8.8.8192.168.2.5
                                                                                                                Apr 8, 2021 10:49:22.174190998 CEST6007553192.168.2.58.8.8.8
                                                                                                                Apr 8, 2021 10:49:22.200989008 CEST53600758.8.8.8192.168.2.5
                                                                                                                Apr 8, 2021 10:49:43.669694901 CEST5501653192.168.2.58.8.8.8
                                                                                                                Apr 8, 2021 10:49:43.682336092 CEST53550168.8.8.8192.168.2.5
                                                                                                                Apr 8, 2021 10:49:45.390861034 CEST6434553192.168.2.58.8.8.8
                                                                                                                Apr 8, 2021 10:49:45.404653072 CEST53643458.8.8.8192.168.2.5
                                                                                                                Apr 8, 2021 10:50:04.505937099 CEST5712853192.168.2.58.8.8.8
                                                                                                                Apr 8, 2021 10:50:04.519083023 CEST53571288.8.8.8192.168.2.5
                                                                                                                Apr 8, 2021 10:50:04.538531065 CEST5479153192.168.2.58.8.8.8
                                                                                                                Apr 8, 2021 10:50:04.552460909 CEST53547918.8.8.8192.168.2.5

                                                                                                                DNS Queries

                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                Apr 8, 2021 10:50:04.505937099 CEST192.168.2.58.8.8.80xf1a2Standard query (0)smtp.yandex.comA (IP address)IN (0x0001)
                                                                                                                Apr 8, 2021 10:50:04.538531065 CEST192.168.2.58.8.8.80x7614Standard query (0)smtp.yandex.comA (IP address)IN (0x0001)

                                                                                                                DNS Answers

                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                Apr 8, 2021 10:50:04.519083023 CEST8.8.8.8192.168.2.50xf1a2No error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)
                                                                                                                Apr 8, 2021 10:50:04.519083023 CEST8.8.8.8192.168.2.50xf1a2No error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)
                                                                                                                Apr 8, 2021 10:50:04.552460909 CEST8.8.8.8192.168.2.50x7614No error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)
                                                                                                                Apr 8, 2021 10:50:04.552460909 CEST8.8.8.8192.168.2.50x7614No error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)

                                                                                                                SMTP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                                Apr 8, 2021 10:50:04.956531048 CEST5874972477.88.21.158192.168.2.5220 vla3-3dd1bd6927b2.qloud-c.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru)
                                                                                                                Apr 8, 2021 10:50:04.957103968 CEST49724587192.168.2.577.88.21.158EHLO 888683
                                                                                                                Apr 8, 2021 10:50:05.016228914 CEST5874972477.88.21.158192.168.2.5250-vla3-3dd1bd6927b2.qloud-c.yandex.net
                                                                                                                250-8BITMIME
                                                                                                                250-PIPELINING
                                                                                                                250-SIZE 42991616
                                                                                                                250-STARTTLS
                                                                                                                250-AUTH LOGIN PLAIN XOAUTH2
                                                                                                                250-DSN
                                                                                                                250 ENHANCEDSTATUSCODES
                                                                                                                Apr 8, 2021 10:50:05.016913891 CEST49724587192.168.2.577.88.21.158STARTTLS
                                                                                                                Apr 8, 2021 10:50:05.075756073 CEST5874972477.88.21.158192.168.2.5220 Go ahead

                                                                                                                Code Manipulations

                                                                                                                Statistics

                                                                                                                CPU Usage

                                                                                                                Click to jump to process

                                                                                                                Memory Usage

                                                                                                                Click to jump to process

                                                                                                                High Level Behavior Distribution

                                                                                                                Click to dive into process behavior distribution

                                                                                                                Behavior

                                                                                                                Click to jump to process

                                                                                                                System Behavior

                                                                                                                Analysis Process: C6RET8T1Wi.exe PID: 6460 Parent PID: 5628

                                                                                                                General

                                                                                                                Start time:10:48:04
                                                                                                                Start date:08/04/2021
                                                                                                                Path:C:\Users\user\Desktop\C6RET8T1Wi.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:'C:\Users\user\Desktop\C6RET8T1Wi.exe'
                                                                                                                Imagebase:0x900000
                                                                                                                File size:1031168 bytes
                                                                                                                MD5 hash:133B4A863E9A9C74B7320F54ABF199D7
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.294530199.0000000003F46000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.291906336.0000000002DFC000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                Reputation:low

                                                                                                                Chronological Activities

                                                                                                                Analysis Process: schtasks.exe PID: 6860 Parent PID: 6460

                                                                                                                General

                                                                                                                Start time:10:48:15
                                                                                                                Start date:08/04/2021
                                                                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ePVIisXwKSPaua' /XML 'C:\Users\user\AppData\Local\Temp\tmp8430.tmp'
                                                                                                                Imagebase:0xac0000
                                                                                                                File size:185856 bytes
                                                                                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high

                                                                                                                Chronological Activities

                                                                                                                Analysis Process: conhost.exe PID: 6888 Parent PID: 6860

                                                                                                                General

                                                                                                                Start time:10:48:16
                                                                                                                Start date:08/04/2021
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff797770000
                                                                                                                File size:625664 bytes
                                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high

                                                                                                                Chronological Activities

                                                                                                                Analysis Process: C6RET8T1Wi.exe PID: 6968 Parent PID: 6460

                                                                                                                General

                                                                                                                Start time:10:48:16
                                                                                                                Start date:08/04/2021
                                                                                                                Path:C:\Users\user\Desktop\C6RET8T1Wi.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Users\user\Desktop\C6RET8T1Wi.exe
                                                                                                                Imagebase:0x350000
                                                                                                                File size:1031168 bytes
                                                                                                                MD5 hash:133B4A863E9A9C74B7320F54ABF199D7
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:low

                                                                                                                Chronological Activities

                                                                                                                Analysis Process: C6RET8T1Wi.exe PID: 7028 Parent PID: 6460

                                                                                                                General

                                                                                                                Start time:10:48:17
                                                                                                                Start date:08/04/2021
                                                                                                                Path:C:\Users\user\Desktop\C6RET8T1Wi.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Users\user\Desktop\C6RET8T1Wi.exe
                                                                                                                Imagebase:0xcb0000
                                                                                                                File size:1031168 bytes
                                                                                                                MD5 hash:133B4A863E9A9C74B7320F54ABF199D7
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.532839988.00000000031B1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.532839988.00000000031B1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.528245994.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                Reputation:low

                                                                                                                Chronological Activities

                                                                                                                Disassembly

                                                                                                                Code Analysis

                                                                                                                Reset < >

                                                                                                                  Analysis Process: C6RET8T1Wi.exe PID: 6460 Parent PID: 5628 C6RET8T1Wi.exeCOMMON

                                                                                                                  Executed Functions

                                                                                                                  Function 04E20848, Relevance: 2.8, Strings: 2, Instructions: 258COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: E=>f$E=>f
                                                                                                                  • API String ID: 0-454667802
                                                                                                                  • Opcode ID: 10ebd07a9816d09407cbd87867bccc24d3140954b0721bbe934f1516974a48ad
                                                                                                                  • Instruction ID: 0b659e13325c6543b10f56d7a5b36500212bdf0d3f43a3b868264780a7b7e124
                                                                                                                  • Opcode Fuzzy Hash: 10ebd07a9816d09407cbd87867bccc24d3140954b0721bbe934f1516974a48ad
                                                                                                                  • Instruction Fuzzy Hash: E1B18F74E10228CFDB18DFA4DA896DEBBB1FB49300F10956AD506AB394DB386985CF50
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E20890, Relevance: 2.7, Strings: 2, Instructions: 233COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: E=>f$E=>f
                                                                                                                  • API String ID: 0-454667802
                                                                                                                  • Opcode ID: e9da90f47aa54b2e76078732c3165c7917fe52d1ab3e399fbfea22333e7c6c25
                                                                                                                  • Instruction ID: f6ae696f7fafbff3d6b0a6517f6428d64eeb0e64e9cedfa4a0067a7290adb78c
                                                                                                                  • Opcode Fuzzy Hash: e9da90f47aa54b2e76078732c3165c7917fe52d1ab3e399fbfea22333e7c6c25
                                                                                                                  • Instruction Fuzzy Hash: CBB15AB0E10228CFDB18DFA5DA996DDBBB1FF89300F109529D506AB394DB386981CF14
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E20BD1, Relevance: 2.7, Strings: 2, Instructions: 196COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: E=>f$E=>f
                                                                                                                  • API String ID: 0-454667802
                                                                                                                  • Opcode ID: 9442a0178306db47464d08fa7d45bfbdfe09835d36367d3bb7634ab98348f2d0
                                                                                                                  • Instruction ID: f00de404d7bb37b7ef4216ebb5731e9e8ad862ed43d4a3c318d5b24edb8c3cac
                                                                                                                  • Opcode Fuzzy Hash: 9442a0178306db47464d08fa7d45bfbdfe09835d36367d3bb7634ab98348f2d0
                                                                                                                  • Instruction Fuzzy Hash: FC9139B4E14228DFCB14DFA4DA996DDBBB1FB88300F10956AD506A7394EB386981CF14
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E27889, Relevance: 2.6, Strings: 2, Instructions: 136COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: uny$uny
                                                                                                                  • API String ID: 0-3598427480
                                                                                                                  • Opcode ID: cde49dce35f33240226ad89217eb765c90cacf55668f19a9794cb9aa4740ff66
                                                                                                                  • Instruction ID: 608c7d3ac90e0906cb70c48705d42e352aaac17b03aab44fe15f2fd99628dd8c
                                                                                                                  • Opcode Fuzzy Hash: cde49dce35f33240226ad89217eb765c90cacf55668f19a9794cb9aa4740ff66
                                                                                                                  • Instruction Fuzzy Hash: BD513775E0062ACFDB64CF66CD40BD9B7B2FF98301F1096EAD10AA2200E7746AC58F54
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 014FDB21, Relevance: 1.7, APIs: 1, Instructions: 240COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 014FDD8A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.291615032.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 716092398-0
                                                                                                                  • Opcode ID: b846fbf9a80a855e5f7a0ea802dbfcb3c05342a4ce8368f712d40c631b4e9a5c
                                                                                                                  • Instruction ID: 6b8f82d41de75c4ff781669687ad50172f41bc6e350efdff0425185b3a3e6bb1
                                                                                                                  • Opcode Fuzzy Hash: b846fbf9a80a855e5f7a0ea802dbfcb3c05342a4ce8368f712d40c631b4e9a5c
                                                                                                                  • Instruction Fuzzy Hash: 7B9118B1C09388AFCB16CFA5D854ACDBFB1BF4A300F19849AE544AB262D7349949CF51
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E262A0, Relevance: 1.6, Strings: 1, Instructions: 311COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: in2e
                                                                                                                  • API String ID: 0-4119543833
                                                                                                                  • Opcode ID: 61ac16a3d22e8e1b88c55c57a289bade9bdbc3a9968589c56c381e573007a676
                                                                                                                  • Instruction ID: fdb90427543a021fb4206b0a8047716ceda670f7eead2357d0cad81b1be73856
                                                                                                                  • Opcode Fuzzy Hash: 61ac16a3d22e8e1b88c55c57a289bade9bdbc3a9968589c56c381e573007a676
                                                                                                                  • Instruction Fuzzy Hash: 96D12874E01218DFDB44CFA5EA45BDDBBF2FB89300F209529E405BB294E775A9418F24
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E262B0, Relevance: 1.6, Strings: 1, Instructions: 307COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: in2e
                                                                                                                  • API String ID: 0-4119543833
                                                                                                                  • Opcode ID: a3b00b59e62279b9e77677c8dade286d8a2b5418316f1af112f253836fc6fb8f
                                                                                                                  • Instruction ID: 4d1f54fcc4a856d79df20ce81252e65048df77caebde7172be2cb87a2faae49e
                                                                                                                  • Opcode Fuzzy Hash: a3b00b59e62279b9e77677c8dade286d8a2b5418316f1af112f253836fc6fb8f
                                                                                                                  • Instruction Fuzzy Hash: C9C12874E01218DFDB44CFA5EA45BDDBBF2FF89300F209529E409BB294E775A9418B24
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 014FD4F0, Relevance: 1.5, Strings: 1, Instructions: 295COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.291615032.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: HandleModule
                                                                                                                  • String ID: +;il^
                                                                                                                  • API String ID: 4139908857-3692895748
                                                                                                                  • Opcode ID: 1f5b38dc8c0c6010ae4cb47d3d4815c9ca876bcad671a6fa54d12131422895bf
                                                                                                                  • Instruction ID: d57b9520ae65cd941a513f99c150560a76ddf3b69c08b99524670393bdcf5877
                                                                                                                  • Opcode Fuzzy Hash: 1f5b38dc8c0c6010ae4cb47d3d4815c9ca876bcad671a6fa54d12131422895bf
                                                                                                                  • Instruction Fuzzy Hash: EDB19F74A007458FCB04DFB9C49466EBBF1FF89214B108A2ED64ADB761EB34E805CB91
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E21B18, Relevance: 1.5, Strings: 1, Instructions: 273COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: )P9q
                                                                                                                  • API String ID: 0-3108297992
                                                                                                                  • Opcode ID: 300eceff85abce641ab4aae131f8f59cb8291e75db6b3d6d971ccc64eaf8e12c
                                                                                                                  • Instruction ID: cfbaba1a9323c33bceb7c56e5be38e79b9ce1e75080bb57038180056d25ac111
                                                                                                                  • Opcode Fuzzy Hash: 300eceff85abce641ab4aae131f8f59cb8291e75db6b3d6d971ccc64eaf8e12c
                                                                                                                  • Instruction Fuzzy Hash: 6BB13974E05219CFCB04CFA9C6815DEFBF2BF89310F25D56AC415AB314EB34AA428B65
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E268B8, Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: bp
                                                                                                                  • API String ID: 0-3979983585
                                                                                                                  • Opcode ID: e5290c6d4d0a024ca5a3b42f1d68ec4ae0a4bf2a22803db59925af576ffeb422
                                                                                                                  • Instruction ID: cc858a6d9d94773910914d9ce11f1a7d779fedd944f25191b02851b5cb4cf53e
                                                                                                                  • Opcode Fuzzy Hash: e5290c6d4d0a024ca5a3b42f1d68ec4ae0a4bf2a22803db59925af576ffeb422
                                                                                                                  • Instruction Fuzzy Hash: A69147B4E002589FDB04DFA5D9845AEBBB2FF89300F20956AE815AB354DB34AA41CF51
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E268C8, Relevance: 1.4, Strings: 1, Instructions: 186COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: bp
                                                                                                                  • API String ID: 0-3979983585
                                                                                                                  • Opcode ID: a43efa1639382a1af2256ad761c857e846ce0e5fc19eb3e3552b9b56e5b676e5
                                                                                                                  • Instruction ID: a6fcb0b7ff8ea6e6d5cc8c615a2e7662a281cadf7140e91b1c8f4c1389bf97a4
                                                                                                                  • Opcode Fuzzy Hash: a43efa1639382a1af2256ad761c857e846ce0e5fc19eb3e3552b9b56e5b676e5
                                                                                                                  • Instruction Fuzzy Hash: 208114B4E002589FDB04DFA5D9845AEFBB2FF89300F20952AE815AB354DB34A942CF55
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 054844BC, Relevance: .4, Instructions: 403COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297993948.0000000005480000.00000040.00000001.sdmp, Offset: 05480000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: b6580163a89d65337881de1245ca0385e0798a67cef34993fbd599b5169a2b7f
                                                                                                                  • Instruction ID: 1b92cad28a7915ebd7817dacd90956d14d54a1b2dea0c9aa505e2c0505e23f08
                                                                                                                  • Opcode Fuzzy Hash: b6580163a89d65337881de1245ca0385e0798a67cef34993fbd599b5169a2b7f
                                                                                                                  • Instruction Fuzzy Hash: AE12B934A50218CFCB54EF64C899EDDB7B1FF4A301F1581AAE609AB365DB31A985CF10
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E2A038, Relevance: .3, Instructions: 333COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: ac3a51a197bb36623636aa897658550b62fc6b8290e0b9a968cf43ebc933c7d7
                                                                                                                  • Instruction ID: 7a97384baa1a5f7738086feb40162aaabe1580ea7e120f3e84168420e57b9577
                                                                                                                  • Opcode Fuzzy Hash: ac3a51a197bb36623636aa897658550b62fc6b8290e0b9a968cf43ebc933c7d7
                                                                                                                  • Instruction Fuzzy Hash: 8CC1BBB17006158FEB19DB76C560BAFB3E6AF98708F14847ED1468B3A0CB35E905CB50
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E22019, Relevance: .2, Instructions: 203COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6f34059cec52a517782f90001fc992f76f8a3c6e4ed8c2f92a905914c2da38da
                                                                                                                  • Instruction ID: 10e0979c954458e91835a7136131124182916f01887bb258128d450a014ee385
                                                                                                                  • Opcode Fuzzy Hash: 6f34059cec52a517782f90001fc992f76f8a3c6e4ed8c2f92a905914c2da38da
                                                                                                                  • Instruction Fuzzy Hash: C1816E71E0521A8FCB04CFAAD6419EEFBF2AF89310F14E46AD515A7254D734A542CFA0
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E27690, Relevance: .2, Instructions: 191COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 8c29a09a5dff9269ef356396e78036baffaae4e350511d798bba6d5fbc19d418
                                                                                                                  • Instruction ID: ee5db7bfaa3b7c163df44a1baea1b0e492e0bba15f46c7cd3262ce55c6af0971
                                                                                                                  • Opcode Fuzzy Hash: 8c29a09a5dff9269ef356396e78036baffaae4e350511d798bba6d5fbc19d418
                                                                                                                  • Instruction Fuzzy Hash: 33813A71E00629CBDB64CF66CD40BDEBBB2FF88301F14D6AAD509A7214EB705A818F55
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E277F6, Relevance: .1, Instructions: 137COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: fd6014e2759493e8259c62d1c2d11b81b06b91d44461476dedd2edb4b05cc5c9
                                                                                                                  • Instruction ID: 600e74a04b556f6dc49f64efa9a1f332299531f6d73e0bb6d545daec0244fd78
                                                                                                                  • Opcode Fuzzy Hash: fd6014e2759493e8259c62d1c2d11b81b06b91d44461476dedd2edb4b05cc5c9
                                                                                                                  • Instruction Fuzzy Hash: AD515875A0462ACFDB64DF15CD40BEAB7B2FF89301F1096AAD50EA3204E7706AC58F15
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E25BC3, Relevance: .1, Instructions: 134COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 37082dceb5eae77fd4f595cadf72e9587daf590072f5f85bfc1e480da5c65f10
                                                                                                                  • Instruction ID: 84248957b7ecfbce0a033b01c658f1bf6c1c19538cec221df97e112424f4ba77
                                                                                                                  • Opcode Fuzzy Hash: 37082dceb5eae77fd4f595cadf72e9587daf590072f5f85bfc1e480da5c65f10
                                                                                                                  • Instruction Fuzzy Hash: B2418D70E15218DBCB08CFA5DA455DEFBF2FBCD311F24A82AE405B7254EB3499418B29
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E278E6, Relevance: .1, Instructions: 133COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: fa1c355bebe93236249553f087e93198c2d0005cf383605e5004541878da4e77
                                                                                                                  • Instruction ID: 607968cb83e1ab00dd212750b6ece00cd5ee5dd4f5e77003e59104ded5698754
                                                                                                                  • Opcode Fuzzy Hash: fa1c355bebe93236249553f087e93198c2d0005cf383605e5004541878da4e77
                                                                                                                  • Instruction Fuzzy Hash: 14513871A0066ACFDB64CF55C940BDDB7B2FF89301F1096AAD10AB3244EB74AAC58F14
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E25BD0, Relevance: .1, Instructions: 129COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 43dfe03c187230cc75deea23f47beaae6c21c85f25cb6762bc140b0ed5b036f6
                                                                                                                  • Instruction ID: 4d3a0ac43b6498a7761a386a50c6cbdbae8317b4c12c6574f9cdb6de1bf2a85c
                                                                                                                  • Opcode Fuzzy Hash: 43dfe03c187230cc75deea23f47beaae6c21c85f25cb6762bc140b0ed5b036f6
                                                                                                                  • Instruction Fuzzy Hash: 2B413E70E15218DBCB08CFA5D6456DEFBF2FBCD311F14A42AE409B7254EB3499418B29
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E278D7, Relevance: .1, Instructions: 126COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 8d31040649beb899c6e333ad3938b85f51a9360837a3c2695d8402633c005072
                                                                                                                  • Instruction ID: 5703a1352d4348f64eb040cd27df151fc45b5c46540f544eb3cd9b445d85c53a
                                                                                                                  • Opcode Fuzzy Hash: 8d31040649beb899c6e333ad3938b85f51a9360837a3c2695d8402633c005072
                                                                                                                  • Instruction Fuzzy Hash: 88513675A0066ACFDB64CF55C940BDAB7B2BF88301F1096AAD50AA3244EB706AC58F14
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E2790D, Relevance: .1, Instructions: 126COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 65a4011004a7c17875261c39279afb75948a61c5ae515b7f69c1ec86ae7114a2
                                                                                                                  • Instruction ID: e643bb72686a2e20a1be64f79746228be8957172a753fe0de6ee1ab840089e9f
                                                                                                                  • Opcode Fuzzy Hash: 65a4011004a7c17875261c39279afb75948a61c5ae515b7f69c1ec86ae7114a2
                                                                                                                  • Instruction Fuzzy Hash: 9E513775A0066ACFDB64CF55CD40BDAB7B2BF88301F1096AAD50AA3204EB706AC58F14
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E29827, Relevance: .1, Instructions: 64COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: d1fe30436117a5674bbb7a69530f8f243989b936cc35a6d27c8defeddd9b0da8
                                                                                                                  • Instruction ID: 8dcd62b4119da847261d4611c6709d0d3eb315746383846fae4e127e890eb249
                                                                                                                  • Opcode Fuzzy Hash: d1fe30436117a5674bbb7a69530f8f243989b936cc35a6d27c8defeddd9b0da8
                                                                                                                  • Instruction Fuzzy Hash: 68115EB1E05268CBDB198FB5D5087EDBFF0AB4A315F18706AD41177242C7745944CFA8
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E29838, Relevance: .1, Instructions: 53COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: ce1da83816f0b04b1dafe67cdf70c1afe9bf06f343ddac5b15dd0cad02adce1d
                                                                                                                  • Instruction ID: 10d9b3c132e6f3ecae69abbb51a69a96737d9a2c69e771b8969d58437a6a5ece
                                                                                                                  • Opcode Fuzzy Hash: ce1da83816f0b04b1dafe67cdf70c1afe9bf06f343ddac5b15dd0cad02adce1d
                                                                                                                  • Instruction Fuzzy Hash: BC115A70E04228CBDB18CFA5C518BEDBBF0AF4E305F18A06AE405B3291DB785944DF68
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E298EC, Relevance: .0, Instructions: 27COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 1b106f9c4c34ff9576e2ed373ccc757d806e6ab35af8261c56d51aa1adfc0d54
                                                                                                                  • Instruction ID: 89a63ea62b27e1f5fafae446d4edbcc7d9d1d2c37559753951e413d6237d5484
                                                                                                                  • Opcode Fuzzy Hash: 1b106f9c4c34ff9576e2ed373ccc757d806e6ab35af8261c56d51aa1adfc0d54
                                                                                                                  • Instruction Fuzzy Hash: 7EE022E1A4D2A5CFD7164FA08D612FABFB0AB07200F0830CAD082FB163D6689105DF50
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E248A4, Relevance: 1.8, APIs: 1, Instructions: 251processCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04E24AE6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateProcess
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 963392458-0
                                                                                                                  • Opcode ID: e3906c7dfb9501e33a2a9c17abbd818805a512f1a9d0503b97d842b887a3601d
                                                                                                                  • Instruction ID: 9d21f23a6eea67ea938dda26a198843baab3449a741ef894c4b1292884d30d10
                                                                                                                  • Opcode Fuzzy Hash: e3906c7dfb9501e33a2a9c17abbd818805a512f1a9d0503b97d842b887a3601d
                                                                                                                  • Instruction Fuzzy Hash: AAA14E71D002299FDF10DFA4CD417EDBBB2BF48318F158569E849A7280DB74A985CF91
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E248B0, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04E24AE6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateProcess
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 963392458-0
                                                                                                                  • Opcode ID: e6b6c5c0e757b853a7736c49ce6df6351677aa9ad5b820fb021e0e6a7edaf36a
                                                                                                                  • Instruction ID: 4aa07cda1d02ec4e5f7d61c27e949b6c3a27cfdb8dc8562010f2229e9e206672
                                                                                                                  • Opcode Fuzzy Hash: e6b6c5c0e757b853a7736c49ce6df6351677aa9ad5b820fb021e0e6a7edaf36a
                                                                                                                  • Instruction Fuzzy Hash: D5913D71D002299FDF10DFA8CD417EEBBB2BF48318F058569E849A7280DB74A985CF91
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 014FBBC8, Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.291615032.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: HandleModule
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4139908857-0
                                                                                                                  • Opcode ID: d9df1a0fc062c74a7b92fdf62e5d822f837e8b1437fd1fa52fcb8f2385140680
                                                                                                                  • Instruction ID: 5893489d0ec3ecc4a8fb2e77eed46933ffa08e9f81c892f97ef36b863a4e5f90
                                                                                                                  • Opcode Fuzzy Hash: d9df1a0fc062c74a7b92fdf62e5d822f837e8b1437fd1fa52fcb8f2385140680
                                                                                                                  • Instruction Fuzzy Hash: B4711370A00B458FD724DF2AC45575BBBF1FF89204F108A2ED68ADBB50DB35E8458B91
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 014FB0FC, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 014FDD8A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.291615032.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 716092398-0
                                                                                                                  • Opcode ID: f562f968c4579203e352d56e5c2b5558f414713973c0f6fbacf4268a3b62b844
                                                                                                                  • Instruction ID: 304dbc30e6afb91e296b848da4098af3b80a80e59520b684451f5f9f6ce56d7c
                                                                                                                  • Opcode Fuzzy Hash: f562f968c4579203e352d56e5c2b5558f414713973c0f6fbacf4268a3b62b844
                                                                                                                  • Instruction Fuzzy Hash: 3A519FB1D003499FDB14CFD9C884ADEBBB6BF48314F24812AE919AB350D7749985CF90
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 014F6D49, Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,014F6D86,?,?,?,?,?), ref: 014F6E47
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.291615032.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DuplicateHandle
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3793708945-0
                                                                                                                  • Opcode ID: e6b491c1baa81a4fa1fc78d0479961878774270c93f09446245de80fae57e125
                                                                                                                  • Instruction ID: e0827eadab998390ff9f38c82d103945175c27b957e62c38cbc8ce8b7fbcf0c9
                                                                                                                  • Opcode Fuzzy Hash: e6b491c1baa81a4fa1fc78d0479961878774270c93f09446245de80fae57e125
                                                                                                                  • Instruction Fuzzy Hash: AA4139769002489FCF01CFA9D944AEEBFF5FB48310F15806AEA14A7360C7359955DFA0
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 05482D34, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 05483F51
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297993948.0000000005480000.00000040.00000001.sdmp, Offset: 05480000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: Create
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2289755597-0
                                                                                                                  • Opcode ID: 71f9dae5e403f10838307e6c5b121695f1ef42f568d267d8d4702d75fc23cfbc
                                                                                                                  • Instruction ID: b2e81ab56d905a1b6f7bde07d652bd0cbe8a50c75bc6fd5088cfc97b4bb1eb2e
                                                                                                                  • Opcode Fuzzy Hash: 71f9dae5e403f10838307e6c5b121695f1ef42f568d267d8d4702d75fc23cfbc
                                                                                                                  • Instruction Fuzzy Hash: B04100B0C0461DCFDB20DFA9C884BDEBBB1BF48708F60846AD509AB255DB746945CF90
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 05480CD0, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 05480D91
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297993948.0000000005480000.00000040.00000001.sdmp, Offset: 05480000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: CallProcWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2714655100-0
                                                                                                                  • Opcode ID: aaa58018f845acc0dad293866ad882ec2ba1a21cd6867a3eeee4e39b4296bfa8
                                                                                                                  • Instruction ID: 51134afdc73652aba0a2b18b1f722adc826042ca635452c7cd02b6edde3db3e5
                                                                                                                  • Opcode Fuzzy Hash: aaa58018f845acc0dad293866ad882ec2ba1a21cd6867a3eeee4e39b4296bfa8
                                                                                                                  • Instruction Fuzzy Hash: 314129B89003058FCB14DF99C488AAEBBF5FF89314F248459E919AB321D774A845CFA0
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E24620, Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04E246B8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: MemoryProcessWrite
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3559483778-0
                                                                                                                  • Opcode ID: 93d9bc2636a436896edd45d5f211a7158e118fd87b04ae0648e1bb575adf9294
                                                                                                                  • Instruction ID: 343fbadf8d79cbaae979508c6d34f439a21d665a1c8e6adcab0ae060c04f1128
                                                                                                                  • Opcode Fuzzy Hash: 93d9bc2636a436896edd45d5f211a7158e118fd87b04ae0648e1bb575adf9294
                                                                                                                  • Instruction Fuzzy Hash: 052104719002599FCF10DFA9C9847EEBBF5EF48314F10842AE919A7290D778AA45CFA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 014FDE81, Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,014FDEA8,?,?,?,?), ref: 014FDF1D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.291615032.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: LongWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1378638983-0
                                                                                                                  • Opcode ID: 8086dba255a0baa22629b5c1ab71a0c8f185512111ef2e99d5dd5494ad81ba21
                                                                                                                  • Instruction ID: 9d9a08375957586a65958ed6572d1e18ae461562190b573521543a7302dbf6c2
                                                                                                                  • Opcode Fuzzy Hash: 8086dba255a0baa22629b5c1ab71a0c8f185512111ef2e99d5dd5494ad81ba21
                                                                                                                  • Instruction Fuzzy Hash: 522166B5900249DFDB11DFA4D588BDABFF4EF49324F18844AE558A7221D334A944CFA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E24628, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04E246B8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: MemoryProcessWrite
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3559483778-0
                                                                                                                  • Opcode ID: af0fb3644d004df1efa038cb550dcb67a19e0fec85ac4d368e4b3d98e31b39e3
                                                                                                                  • Instruction ID: 16787fd8049ceac6ead4c3b87cb49e70349229d2d1286ecbed83a0b48f77378c
                                                                                                                  • Opcode Fuzzy Hash: af0fb3644d004df1efa038cb550dcb67a19e0fec85ac4d368e4b3d98e31b39e3
                                                                                                                  • Instruction Fuzzy Hash: 7E21F5719003599FCF10DFA9C985BEEBBF5FF48314F108429E919A7250DB78A944CBA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E24488, Relevance: 1.6, APIs: 1, Instructions: 67threadinjectionCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetThreadContext.KERNELBASE(?,00000000), ref: 04E2450E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: ContextThread
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1591575202-0
                                                                                                                  • Opcode ID: 215367ede548cb124b4f6a75e6cdd3e095f8df1aa84c095ca7ff23377310860b
                                                                                                                  • Instruction ID: 4f69dba094f7b93b3bc8f0431c0cdd7383c836218dee1081c318eeb0e36cd974
                                                                                                                  • Opcode Fuzzy Hash: 215367ede548cb124b4f6a75e6cdd3e095f8df1aa84c095ca7ff23377310860b
                                                                                                                  • Instruction Fuzzy Hash: 7E215971D003098FDB10CFAAC4847EEBBF5EF48328F14842AD559A7240DB78A945CFA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E24710, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04E24798
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: MemoryProcessRead
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1726664587-0
                                                                                                                  • Opcode ID: 212231310b5f19f625d8c371d97b6fd190841b487eff33bac50e02022d9ef8f9
                                                                                                                  • Instruction ID: 3c06407e598d123f8c21a621461b8bef2d59d79460619ef334306b3d1325f402
                                                                                                                  • Opcode Fuzzy Hash: 212231310b5f19f625d8c371d97b6fd190841b487eff33bac50e02022d9ef8f9
                                                                                                                  • Instruction Fuzzy Hash: A5214A718003599FCF10DFAAC8846EEBBF5FF48324F008429E929A7240DB34A944CFA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 014F6764, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,014F6D86,?,?,?,?,?), ref: 014F6E47
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.291615032.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DuplicateHandle
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3793708945-0
                                                                                                                  • Opcode ID: 6bd398c6cd6fc0af544dd4d8205c1ac2a3a11c1a12d074b5a84ca76ae78b6914
                                                                                                                  • Instruction ID: a4efaa58736c8d30e74a0a2ac47caa1fbfeda7c173b8381447366df6537e304c
                                                                                                                  • Opcode Fuzzy Hash: 6bd398c6cd6fc0af544dd4d8205c1ac2a3a11c1a12d074b5a84ca76ae78b6914
                                                                                                                  • Instruction Fuzzy Hash: 3821E4B59003489FDB10CFAAD884AEEBBF5FB48324F14841AEA14B7351D374A944CFA5
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 014F6DB8, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,014F6D86,?,?,?,?,?), ref: 014F6E47
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.291615032.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DuplicateHandle
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3793708945-0
                                                                                                                  • Opcode ID: 5208293cd90dcca21c680d887334d4cc7698372b8fdba1b6ac669063ae41724d
                                                                                                                  • Instruction ID: 559239e49906c095cb09ab058f449090abb659e18755e07624072026fe349402
                                                                                                                  • Opcode Fuzzy Hash: 5208293cd90dcca21c680d887334d4cc7698372b8fdba1b6ac669063ae41724d
                                                                                                                  • Instruction Fuzzy Hash: F721E3B59002489FDB10CFAAD984AEEBFF9EB48324F15841AE914B7311D374A944CFA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E24490, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetThreadContext.KERNELBASE(?,00000000), ref: 04E2450E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: ContextThread
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1591575202-0
                                                                                                                  • Opcode ID: 532093b857a8d2ad7a720213b14ffb89e3511d28ef49f26179a11c7be0b29847
                                                                                                                  • Instruction ID: 07d98774c4a3a8b6e941d1a1405f79bc88d83545146616a0c50b5fa2ca305360
                                                                                                                  • Opcode Fuzzy Hash: 532093b857a8d2ad7a720213b14ffb89e3511d28ef49f26179a11c7be0b29847
                                                                                                                  • Instruction Fuzzy Hash: FD213871D003498FDB10DFAAC4847EEBBF5EF48328F14842AD559A7240DB78A945CFA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E24718, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04E24798
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: MemoryProcessRead
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1726664587-0
                                                                                                                  • Opcode ID: 6c62f61b3179fc6d58a3958b1baff64cc4ac4a46d74db9e9c058d2e9ff5d7bc4
                                                                                                                  • Instruction ID: c19625b62699639f64cc0669f439cc71678d43d84d4516e8d37e99a82172eff4
                                                                                                                  • Opcode Fuzzy Hash: 6c62f61b3179fc6d58a3958b1baff64cc4ac4a46d74db9e9c058d2e9ff5d7bc4
                                                                                                                  • Instruction Fuzzy Hash: FE2139718003599FCF00DFAAC8846EEBBF5FF48324F108429E919A7240D774A944CBA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 014FB10A, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,014FDEA8,?,?,?,?), ref: 014FDF1D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.291615032.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: LongWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1378638983-0
                                                                                                                  • Opcode ID: f4407251041619c4c6752791f17a8fcbd86f86314728b9fc1eecc5d33d87c0b7
                                                                                                                  • Instruction ID: 6636c05fcff7c1ce1b5ae468906f7c74b28e03a8f0e66c56a0ddc0b23f73ce26
                                                                                                                  • Opcode Fuzzy Hash: f4407251041619c4c6752791f17a8fcbd86f86314728b9fc1eecc5d33d87c0b7
                                                                                                                  • Instruction Fuzzy Hash: CB2177B1C003488FDB10DF99C485BEABFF8EB48324F20850AD955A7350C374A946CFA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 014FAFC0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014FBE89,00000800,00000000,00000000), ref: 014FC09A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.291615032.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: LibraryLoad
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1029625771-0
                                                                                                                  • Opcode ID: 70fd1bd6e870c70932c86df7ddadf9ffafb1197c664fcf9f69af6e20cd18213f
                                                                                                                  • Instruction ID: af2c9462282e138d232032d1513917ae7b5dbd365ecf543c24840cc6101c2139
                                                                                                                  • Opcode Fuzzy Hash: 70fd1bd6e870c70932c86df7ddadf9ffafb1197c664fcf9f69af6e20cd18213f
                                                                                                                  • Instruction Fuzzy Hash: 9E1103B69002489FDB14CF9AC484BAEBBF5AB49324F00842EEA19B7310C775A545CFA5
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E24560, Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04E245D6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocVirtual
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4275171209-0
                                                                                                                  • Opcode ID: 1bd9b9be64d48f004db231e783c10a5554e3644507a1405fc818694aff94dd77
                                                                                                                  • Instruction ID: 42adfaf18a0dde3dcd82b8d7981c5962b5520691207e918bc2dbc0a123acc782
                                                                                                                  • Opcode Fuzzy Hash: 1bd9b9be64d48f004db231e783c10a5554e3644507a1405fc818694aff94dd77
                                                                                                                  • Instruction Fuzzy Hash: E61144729042598FCF11DFAAC8446EFBBF5AF88324F14841AE565A7290CB35A944CFA0
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E243D9, Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: ResumeThread
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 947044025-0
                                                                                                                  • Opcode ID: 1a1a8d32c6c1210a37d43dce2dc3efc031c90251f9ff604cb9084c05d7cc777e
                                                                                                                  • Instruction ID: 3d25bdbdadcc92d7dc88b261caa42a071ba74b2183817451a321ffbcad95c623
                                                                                                                  • Opcode Fuzzy Hash: 1a1a8d32c6c1210a37d43dce2dc3efc031c90251f9ff604cb9084c05d7cc777e
                                                                                                                  • Instruction Fuzzy Hash: 171116B19046488FDB10DFAAC8447EEBBF5EB88228F148419D559A7240CB74A945CFA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E24568, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04E245D6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocVirtual
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4275171209-0
                                                                                                                  • Opcode ID: 1a191e47297d098c515bf5db6207d441231b12a8655f6db2dacd303ba24c027b
                                                                                                                  • Instruction ID: 7e7534525a298fc32652b54dfc4986ec8d304355d450f883e0a9208c7eda19d5
                                                                                                                  • Opcode Fuzzy Hash: 1a191e47297d098c515bf5db6207d441231b12a8655f6db2dacd303ba24c027b
                                                                                                                  • Instruction Fuzzy Hash: D21134719042499FCF10DFAAC844BEFBBF5EF88324F148419E915A7250CB75A944CFA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E21940, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • OutputDebugStringW.KERNELBASE(00000000), ref: 04E219B8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DebugOutputString
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1166629820-0
                                                                                                                  • Opcode ID: 0106efcc4301a78aae89977bb445d72a7795fa65b9c4f320b33e14e6ff95eaef
                                                                                                                  • Instruction ID: 0599a30dd4a3ddace09a23d5f20ebd2fa69f685c0ccc4d57784864420f5ce407
                                                                                                                  • Opcode Fuzzy Hash: 0106efcc4301a78aae89977bb445d72a7795fa65b9c4f320b33e14e6ff95eaef
                                                                                                                  • Instruction Fuzzy Hash: B61123B5D006699BCB10CF9AD584BAEFBB4FB48324F10811AE819B3344D774A645CFA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 014FC028, Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014FBE89,00000800,00000000,00000000), ref: 014FC09A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.291615032.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: LibraryLoad
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1029625771-0
                                                                                                                  • Opcode ID: 970afc7f30b3d4ce4dff9a6b223b3e5aac1b23e56a497823d26c8f8f7d645e37
                                                                                                                  • Instruction ID: 5ab7023c88c2d54b0961046e9325d71b4ea98322d64f8753ef05020dbc547499
                                                                                                                  • Opcode Fuzzy Hash: 970afc7f30b3d4ce4dff9a6b223b3e5aac1b23e56a497823d26c8f8f7d645e37
                                                                                                                  • Instruction Fuzzy Hash: C41100B68002498FDB10CFAAC484BEEFBF4AB48324F15852ED615B7710C374A549CFA5
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E21948, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • OutputDebugStringW.KERNELBASE(00000000), ref: 04E219B8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DebugOutputString
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1166629820-0
                                                                                                                  • Opcode ID: de9f76995d7dbf74a2910dede509301b3b9e0377d8ae4dc9c38db24e62092f51
                                                                                                                  • Instruction ID: 40305115682d3edc7f70dbe8844e9073777486a355b5f80989db8f33d3310f5b
                                                                                                                  • Opcode Fuzzy Hash: de9f76995d7dbf74a2910dede509301b3b9e0377d8ae4dc9c38db24e62092f51
                                                                                                                  • Instruction Fuzzy Hash: 9711F3B1D006699BCB10CF9AD544BAEFBB4FB48324F10811AD819B3644D774A644CFA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 014FAF68, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,014FBBDB), ref: 014FBE0E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.291615032.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: HandleModule
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4139908857-0
                                                                                                                  • Opcode ID: 761092b0e400043c698a9b3a1ee884c9482cc3074910e74cba804913952619e9
                                                                                                                  • Instruction ID: 4e4d0da1e9a145f3dafb0fe7980bc0b2f9b8975c9f7b3ff8cb242c4b47b28ca6
                                                                                                                  • Opcode Fuzzy Hash: 761092b0e400043c698a9b3a1ee884c9482cc3074910e74cba804913952619e9
                                                                                                                  • Instruction Fuzzy Hash: 9011F0B5C006498FDB10CF9AC444BAEBBF5EF89224F10841ADA19A7310C375A546CFA2
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E243E0, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: ResumeThread
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 947044025-0
                                                                                                                  • Opcode ID: dd3b5bc2cd72be869b8e88c5aa054e69779cb3bc4519bd3f177c12b8bceab793
                                                                                                                  • Instruction ID: ea6fde40048ad8a112990fc71fc81fee3abbe2b3d311168dd4ab58f143506698
                                                                                                                  • Opcode Fuzzy Hash: dd3b5bc2cd72be869b8e88c5aa054e69779cb3bc4519bd3f177c12b8bceab793
                                                                                                                  • Instruction Fuzzy Hash: D411F5B19047488FDB10DFAAC8497EEBBF5AB88328F158429D519A7240DB74A944CBA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E23E8C, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 04E29155
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: MessagePost
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 410705778-0
                                                                                                                  • Opcode ID: ddaa6a52e6188b253d1c66d240cbb0de920abf58a93313bbb860aa9130414ebf
                                                                                                                  • Instruction ID: 6597539ef2b71642d25735f428c7da388a4655b1a84eacdd5954bf9c8c0f4ad1
                                                                                                                  • Opcode Fuzzy Hash: ddaa6a52e6188b253d1c66d240cbb0de920abf58a93313bbb860aa9130414ebf
                                                                                                                  • Instruction Fuzzy Hash: 2811F5B59007499FDB10DF9AC589BEFBBF8EB48324F108419E915B7201C774A944CFA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E290F0, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 04E29155
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: MessagePost
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 410705778-0
                                                                                                                  • Opcode ID: f2be7a9188f62a61ecad97da9eeab1cf81283de0ef3c694cd25406fdcf33ea57
                                                                                                                  • Instruction ID: 6675bd9d4b28d2a2582e3b8d8dd6a827c5096205fdc295e2b7a97d4982ee68ea
                                                                                                                  • Opcode Fuzzy Hash: f2be7a9188f62a61ecad97da9eeab1cf81283de0ef3c694cd25406fdcf33ea57
                                                                                                                  • Instruction Fuzzy Hash: 1311E3B59003589FDB10CF9AC589BEFBBF8EB48324F108419E554A7201C774A944CFA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 014FB134, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,014FDEA8,?,?,?,?), ref: 014FDF1D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.291615032.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: LongWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1378638983-0
                                                                                                                  • Opcode ID: 64e0249e65c5cd7fbefcbadc45a3dbe28e77e9accafb6532746aa4b522d8de63
                                                                                                                  • Instruction ID: 6177e153dd2abe3640bd2c3faffef2943f9bbed4d916682207720eb34d1e6b4d
                                                                                                                  • Opcode Fuzzy Hash: 64e0249e65c5cd7fbefcbadc45a3dbe28e77e9accafb6532746aa4b522d8de63
                                                                                                                  • Instruction Fuzzy Hash: 131103B58047489FDB10DF99D488BEEBBF8EB48324F10841AEA19B7300C374A944CFA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 010ED4D8, Relevance: .1, Instructions: 75COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.291323928.00000000010ED000.00000040.00000001.sdmp, Offset: 010ED000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 4b6e27df4d03363937811e832ad44e06108cbca16d0f78dd65b3a712a4595b9d
                                                                                                                  • Instruction ID: 4063c5598b2b9d5562e31ac6a3b494db7b5ecc7751bbcddc4467caaed3e79d40
                                                                                                                  • Opcode Fuzzy Hash: 4b6e27df4d03363937811e832ad44e06108cbca16d0f78dd65b3a712a4595b9d
                                                                                                                  • Instruction Fuzzy Hash: 51213AB2504344DFDB05CF94D9C8B2ABFE5FB88328F2485ADE9454B216C336D845CBA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 010FD01C, Relevance: .1, Instructions: 72COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.291363060.00000000010FD000.00000040.00000001.sdmp, Offset: 010FD000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 567fdef98ff38711d785f6fa26904ca02dbebbd9a72eec98294bf2c68ab45dff
                                                                                                                  • Instruction ID: 14f58c14ec293452e2a8651750f57e57f20b8a38cd5c6c4a514988617a34a9e5
                                                                                                                  • Opcode Fuzzy Hash: 567fdef98ff38711d785f6fa26904ca02dbebbd9a72eec98294bf2c68ab45dff
                                                                                                                  • Instruction Fuzzy Hash: 702145B0504240EFCB11CF54D8C1B2ABBA1FB84354F20C5ADFA894B646C337D806CB61
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 010FD1D4, Relevance: .1, Instructions: 72COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.291363060.00000000010FD000.00000040.00000001.sdmp, Offset: 010FD000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: dbc53a20c460df313031965dbd3424530e10d3d2fcbe57d2e9d39160ec920b14
                                                                                                                  • Instruction ID: aa65535c3fe5df345755f8e8530e50c2a8aecfbbe3fb3ed0409f466f66762c23
                                                                                                                  • Opcode Fuzzy Hash: dbc53a20c460df313031965dbd3424530e10d3d2fcbe57d2e9d39160ec920b14
                                                                                                                  • Instruction Fuzzy Hash: 9E219EB5504340EFDB41CF94C4C1B2ABBA1FB84324F20C5ADEA894B646C337D806CBA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 010ED4D3, Relevance: .1, Instructions: 56COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.291323928.00000000010ED000.00000040.00000001.sdmp, Offset: 010ED000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: d3d3a5c8a77c1f93a9d2bb5ebde4aa2dc7ff225c0119cd3fdbf9822ffe318854
                                                                                                                  • Instruction ID: dc90025fde2cf383704e449868cad76ecc7cccf888defb7b291c32b4c3750278
                                                                                                                  • Opcode Fuzzy Hash: d3d3a5c8a77c1f93a9d2bb5ebde4aa2dc7ff225c0119cd3fdbf9822ffe318854
                                                                                                                  • Instruction Fuzzy Hash: E611D376404280DFCB16CF54D9C4B16BFB2FB84324F2486AAD9450B657C33AD45ACBA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 010FD1CF, Relevance: .1, Instructions: 53COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.291363060.00000000010FD000.00000040.00000001.sdmp, Offset: 010FD000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 824b1736f384bdc6cd6c50cf4b2c9d41c7c828cab6d25fe1576c05bac77cb3fe
                                                                                                                  • Instruction ID: 032c1bf87051a31147aed1dc9974b5d9262867fa3890482608891312a42f497b
                                                                                                                  • Opcode Fuzzy Hash: 824b1736f384bdc6cd6c50cf4b2c9d41c7c828cab6d25fe1576c05bac77cb3fe
                                                                                                                  • Instruction Fuzzy Hash: B711BE79504280DFCB42CF54C5C4B15BBB1FB84224F24C6AED9894B656C33AD44ACBA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 010FD017, Relevance: .1, Instructions: 53COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.291363060.00000000010FD000.00000040.00000001.sdmp, Offset: 010FD000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 824b1736f384bdc6cd6c50cf4b2c9d41c7c828cab6d25fe1576c05bac77cb3fe
                                                                                                                  • Instruction ID: 63fd689e62e15d1ae5be8d0974d0d14d0f45dd4eb2caf20e7d088c7d2649cb06
                                                                                                                  • Opcode Fuzzy Hash: 824b1736f384bdc6cd6c50cf4b2c9d41c7c828cab6d25fe1576c05bac77cb3fe
                                                                                                                  • Instruction Fuzzy Hash: 9011BE75504280DFCB12CF54D5C4B15FBA2FB84314F24C6AEE9494BA56C33AD44ACB61
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 010ED75D, Relevance: .0, Instructions: 45COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.291323928.00000000010ED000.00000040.00000001.sdmp, Offset: 010ED000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 03d4978d2938556b878726f660dcf7f197cb6a96d54efc700b5c72276ef70276
                                                                                                                  • Instruction ID: 9fd77d0adf0e559de478be5aff8fd3e463d58de93b7e091e9accdbf5a253291e
                                                                                                                  • Opcode Fuzzy Hash: 03d4978d2938556b878726f660dcf7f197cb6a96d54efc700b5c72276ef70276
                                                                                                                  • Instruction Fuzzy Hash: E801D4710483C49EE7108B5AC88876AFBD8FF45664F08845AEE845A246E3799844C771
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 010ED75C, Relevance: .0, Instructions: 36COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.291323928.00000000010ED000.00000040.00000001.sdmp, Offset: 010ED000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e8b4c07e7c981c1a0b295315107cd2a38c99dcf5015f565232c14977ced4d99f
                                                                                                                  • Instruction ID: a42f8e91273b5f3910db2f5e45bfe15f255d2660cd2df29acead97ba71d1d145
                                                                                                                  • Opcode Fuzzy Hash: e8b4c07e7c981c1a0b295315107cd2a38c99dcf5015f565232c14977ced4d99f
                                                                                                                  • Instruction Fuzzy Hash: 0BF062714083849FE7518B5ACDC8B62FFD8EF45674F18C45AEE885B286D3789884CBB1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Non-executed Functions

                                                                                                                  Function 04E20CF9, Relevance: 2.7, Strings: 2, Instructions: 170COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: U7$U7
                                                                                                                  • API String ID: 0-3636353137
                                                                                                                  • Opcode ID: 8d4938fcfe05b1d1d779a146237d3e005cf626f1a197c66352e4ddd8c765fea7
                                                                                                                  • Instruction ID: b6998baba280b78d80cac47dae54cdcaaa04844176198ca4e58c19c881c30755
                                                                                                                  • Opcode Fuzzy Hash: 8d4938fcfe05b1d1d779a146237d3e005cf626f1a197c66352e4ddd8c765fea7
                                                                                                                  • Instruction Fuzzy Hash: 6F712C74E05229CFCB54CF69CA8069EFBB2BF89304F24D1AAD508A7355DB30AA41CF51
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E20D08, Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: U7$U7
                                                                                                                  • API String ID: 0-3636353137
                                                                                                                  • Opcode ID: ebf371ce2cd2d147af5235086f0e8a887fc993219941c38b718e29745caf0ef0
                                                                                                                  • Instruction ID: b3b1984ae5b75dd5b0766f8759d219e3e8f71f319130c5efb95a648b369d9694
                                                                                                                  • Opcode Fuzzy Hash: ebf371ce2cd2d147af5235086f0e8a887fc993219941c38b718e29745caf0ef0
                                                                                                                  • Instruction Fuzzy Hash: 5961FE74E05129CFDB54CF69CA80A9EFBB2BF89304F24D1A9D508A7355DB30AA41CF51
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E22F73, Relevance: 1.5, Strings: 1, Instructions: 292COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 8qCs
                                                                                                                  • API String ID: 0-1404055925
                                                                                                                  • Opcode ID: d019c726db1f49f315796d16a8f72ee614c646b4702fb3afc5d591c8e6d0579a
                                                                                                                  • Instruction ID: 896f25c5be557a08a721d9bcde8642f1b43b4b6b4e632a2a44734048f2c6b259
                                                                                                                  • Opcode Fuzzy Hash: d019c726db1f49f315796d16a8f72ee614c646b4702fb3afc5d591c8e6d0579a
                                                                                                                  • Instruction Fuzzy Hash: 35D15F70E04269CFDB14CFA9CA809AEFBB2BF89304F249569D905BB355D734A941CF60
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E22F80, Relevance: 1.5, Strings: 1, Instructions: 288COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 8qCs
                                                                                                                  • API String ID: 0-1404055925
                                                                                                                  • Opcode ID: fce27c34cc0332df2ed1c5debb10b8ea2d2632cecd6ba78a5434fe630c49a3f5
                                                                                                                  • Instruction ID: c89da830c040cf694c4f02020d7447630a4375f9a54606ba2bf1e1a3161efa86
                                                                                                                  • Opcode Fuzzy Hash: fce27c34cc0332df2ed1c5debb10b8ea2d2632cecd6ba78a5434fe630c49a3f5
                                                                                                                  • Instruction Fuzzy Hash: F6D14C70E04229CFDB14CFA9CA809AEFBB2BF89304F249569D905BB355D734A941CF64
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E23022, Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 8qCs
                                                                                                                  • API String ID: 0-1404055925
                                                                                                                  • Opcode ID: 6f404c72298144580518038a83b9bfcb080c57e4bcd224199fb3c36acbfed140
                                                                                                                  • Instruction ID: 1aeacea6a69d23b39d1b1b476b8e9b113d56a19039a75de06ab433d163b026a3
                                                                                                                  • Opcode Fuzzy Hash: 6f404c72298144580518038a83b9bfcb080c57e4bcd224199fb3c36acbfed140
                                                                                                                  • Instruction Fuzzy Hash: C8C14A74E0422ACFCB14CFA4CA80AADFBF2BF89304F249599D905AB355D734A941CF64
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E235F0, Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: Vmu
                                                                                                                  • API String ID: 0-3107633553
                                                                                                                  • Opcode ID: 067b78fe0cbc70bd09a66985a7116ac05e4727ce6338136250ef87c99c92e9f2
                                                                                                                  • Instruction ID: 7003f8f9a5aaef5e9e656f7c7df69ad75ffe067729436dddaf63913a536094af
                                                                                                                  • Opcode Fuzzy Hash: 067b78fe0cbc70bd09a66985a7116ac05e4727ce6338136250ef87c99c92e9f2
                                                                                                                  • Instruction Fuzzy Hash: FC415D70E052298FDB58CF6AD98179EFBF2FB88300F10D4AAD809A7354DB345A858F51
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E235DB, Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: Vmu
                                                                                                                  • API String ID: 0-3107633553
                                                                                                                  • Opcode ID: 42de5a00b4eef5723a861855b2631a1a2c91c1e9bf6a40c88244cf6cbb7ce822
                                                                                                                  • Instruction ID: ea6ac29001cbef98dff4c096074b04535479381881bcd9c3173c42099b944450
                                                                                                                  • Opcode Fuzzy Hash: 42de5a00b4eef5723a861855b2631a1a2c91c1e9bf6a40c88244cf6cbb7ce822
                                                                                                                  • Instruction Fuzzy Hash: 0B415E70E152198FDB58CF7AC98169EBBF2AB88300F14D4AAD809E7354DB345A45CF51
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 014F99D8, Relevance: .3, Instructions: 265COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.291615032.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 5ca3f75e344453a9260d5cd7c4bda7f9ba4ed800102d950aa26a3039575124d7
                                                                                                                  • Instruction ID: 4b230b7e59b44d440ef9f1f512c0748f73dd98aa0b9db8c1b7efb81fcfeb925b
                                                                                                                  • Opcode Fuzzy Hash: 5ca3f75e344453a9260d5cd7c4bda7f9ba4ed800102d950aa26a3039575124d7
                                                                                                                  • Instruction Fuzzy Hash: B6A17E36E1021A8FCF05DFB5C84459EBBB6FF89300B15816EEA05BB321EB35A945CB40
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E272F3, Relevance: .2, Instructions: 225COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 2d314804ab0bbb24eb9350eaa176aa757339a83ad7794171d62d50439a7bab06
                                                                                                                  • Instruction ID: 89cad4b740f3b70d5742810f389a4b71e992be7f5f8c2372fc136bfad304813c
                                                                                                                  • Opcode Fuzzy Hash: 2d314804ab0bbb24eb9350eaa176aa757339a83ad7794171d62d50439a7bab06
                                                                                                                  • Instruction Fuzzy Hash: 289119B1E05219DFDB04CFA9D6815EEBBF2BF89310F20A06AE405BB214D731AA41CF55
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 014F7FC1, Relevance: .1, Instructions: 95COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.291615032.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a08007a36f5fa59d77bca9b8d14aa06b8d279022f04d72e3676bb5763b2cc429
                                                                                                                  • Instruction ID: ef2bcdca72dc1dfcc4f85f1c35c4ba46ce85c3afa10aacc680e804bb5ac0fceb
                                                                                                                  • Opcode Fuzzy Hash: a08007a36f5fa59d77bca9b8d14aa06b8d279022f04d72e3676bb5763b2cc429
                                                                                                                  • Instruction Fuzzy Hash: 4C317076A01202CFDB05DF36A61457F3BF9BB84204745C62ECA15DB326F7349A0ACBA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E2A9E9, Relevance: .1, Instructions: 57COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 39d31dc13f9964c7f0549655a4c783aa3d1feb91d0a4ecbb40410eb9cfec229b
                                                                                                                  • Instruction ID: 04cdd835acd4fdc4b7a84b1c1cd913557d2a5c41e1d7cb195bff6738d29da5d9
                                                                                                                  • Opcode Fuzzy Hash: 39d31dc13f9964c7f0549655a4c783aa3d1feb91d0a4ecbb40410eb9cfec229b
                                                                                                                  • Instruction Fuzzy Hash: D6118C70D042699FCB258F65C649BEEBBF0AF0E304F04607AD481B3280DB749944CB68
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 04E2A9F8, Relevance: .1, Instructions: 53COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.297111672.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a89e1f2cc4b6b515af7e32c51514b30006a10ca63cb5126a525b7564e12e0133
                                                                                                                  • Instruction ID: 876158ade33705a49443d0d716add963e51d28362cff52e9fd82b07e97fb7b65
                                                                                                                  • Opcode Fuzzy Hash: a89e1f2cc4b6b515af7e32c51514b30006a10ca63cb5126a525b7564e12e0133
                                                                                                                  • Instruction Fuzzy Hash: 4F115A70D042299FDB15CFA5C608BEEBBF1AF4E304F14A07AD441B3280DB789944CB68
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Analysis Process: C6RET8T1Wi.exe PID: 7028 Parent PID: 6460 C6RET8T1Wi.exeCOMMON

                                                                                                                  Executed Functions

                                                                                                                  Function 01633DA0, Relevance: 2.3, APIs: 1, Instructions: 811COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.531686239.0000000001630000.00000040.00000001.sdmp, Offset: 01630000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e119d6991c51db48c70d97a5a2637f67381b230b95f86ced731c74ddbf5ae5b4
                                                                                                                  • Instruction ID: 8087a016930d633523eed9e9372b55b763707469d782d7f43971f98ef387d3fc
                                                                                                                  • Opcode Fuzzy Hash: e119d6991c51db48c70d97a5a2637f67381b230b95f86ced731c74ddbf5ae5b4
                                                                                                                  • Instruction Fuzzy Hash: 01720835E007198FCB24EF78C95469EB7B5AF89304F1085A9D54AAB354EF30AE85CF81
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 016339D0, Relevance: 1.8, APIs: 1, Instructions: 319libraryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.531686239.0000000001630000.00000040.00000001.sdmp, Offset: 01630000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: InitializeThunk
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2994545307-0
                                                                                                                  • Opcode ID: 2164d1b150cabbcdb99388a9dc6c184e4529ea4a55cb37c0f4e1d799ddaca6fb
                                                                                                                  • Instruction ID: cae9b5ff7cea92031fbf4644ecb833ec515a48485002417cf7dd190a4b307fa5
                                                                                                                  • Opcode Fuzzy Hash: 2164d1b150cabbcdb99388a9dc6c184e4529ea4a55cb37c0f4e1d799ddaca6fb
                                                                                                                  • Instruction Fuzzy Hash: 79B10431B083818FC706DB78C854AAA7BB5EF86304F1584AAE546DF392EB34DC49C761
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0305691F, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132threadCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 030569A0
                                                                                                                  • GetCurrentThread.KERNEL32 ref: 030569DD
                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 03056A1A
                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 03056A73
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.532322035.0000000003050000.00000040.00000001.sdmp, Offset: 03050000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: Current$ProcessThread
                                                                                                                  • String ID: l
                                                                                                                  • API String ID: 2063062207-2517025534
                                                                                                                  • Opcode ID: ffd15b7e7a80ece7c4dfb46b0a52548942d0f641fea0e32e801a18281a9b0a39
                                                                                                                  • Instruction ID: 36ce95c24f96e864cba829746343d3ef175196b00f2db39b573dd0368356bb7a
                                                                                                                  • Opcode Fuzzy Hash: ffd15b7e7a80ece7c4dfb46b0a52548942d0f641fea0e32e801a18281a9b0a39
                                                                                                                  • Instruction Fuzzy Hash: FA5186B0A013888FDB10CFA9C948BAEFBF1EF49314F248469E449A7350CB755844CF62
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 03056940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 030569A0
                                                                                                                  • GetCurrentThread.KERNEL32 ref: 030569DD
                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 03056A1A
                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 03056A73
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.532322035.0000000003050000.00000040.00000001.sdmp, Offset: 03050000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: Current$ProcessThread
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2063062207-0
                                                                                                                  • Opcode ID: 169013f4de30684f3ff5cc9bda4e7fa598d399fe029148d49d746884160fb2f4
                                                                                                                  • Instruction ID: cc761a34e6bdc7d062a1850b3916536604b8ea6fc48057de9aeefee73b18c171
                                                                                                                  • Opcode Fuzzy Hash: 169013f4de30684f3ff5cc9bda4e7fa598d399fe029148d49d746884160fb2f4
                                                                                                                  • Instruction Fuzzy Hash: 4A5132B0E012498FDB50CFA9D548BAEFBF1EB88318F248459E449A7350DB755984CF62
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 01631FD8, Relevance: 1.7, APIs: 1, Instructions: 204libraryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.531686239.0000000001630000.00000040.00000001.sdmp, Offset: 01630000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: InitializeThunk
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2994545307-0
                                                                                                                  • Opcode ID: 2ff2caf127f0dabe292d1aef6398881dc931b53608a3e9c88f3b57aacd323ad8
                                                                                                                  • Instruction ID: 4736ffc245bd979aa78fe12d7d1681ca00079086b79dac46a9b84121778f3c71
                                                                                                                  • Opcode Fuzzy Hash: 2ff2caf127f0dabe292d1aef6398881dc931b53608a3e9c88f3b57aacd323ad8
                                                                                                                  • Instruction Fuzzy Hash: EB715D34A05305DFDB14EFB8D9686AEBBF6AF85304F10882DE502AB355DF359849CB90
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0305500F, Relevance: 1.7, APIs: 1, Instructions: 165COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.532322035.0000000003050000.00000040.00000001.sdmp, Offset: 03050000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 05278baba5734e30c560d2f9ffac12563cdb36f7c210fb0ab8845b3eefcf37e7
                                                                                                                  • Instruction ID: 32aa276f16cbbbd81c536bd4c7538dff2791de45e7c5ffb1723241cb99837e24
                                                                                                                  • Opcode Fuzzy Hash: 05278baba5734e30c560d2f9ffac12563cdb36f7c210fb0ab8845b3eefcf37e7
                                                                                                                  • Instruction Fuzzy Hash: 226135B1C053499FCF02CFA9C980ADDBFB5BF4A314F19819AE808AB221D7719945CF51
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 016BECD8, Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.531779829.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e4778cc9330212ede8f491ecad80191c54b7127d7eb0f3f64671514729eb9996
                                                                                                                  • Instruction ID: 1ea64dde43715d97b5579cec79c5e7fa835dcdc3bc0bab94e277f235c5bd610b
                                                                                                                  • Opcode Fuzzy Hash: e4778cc9330212ede8f491ecad80191c54b7127d7eb0f3f64671514729eb9996
                                                                                                                  • Instruction Fuzzy Hash: 57412672D043598FCB04CFA9C8446EEBBF1EF89224F15856AD604EB351EB749885CBE1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 03055090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 030551A2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.532322035.0000000003050000.00000040.00000001.sdmp, Offset: 03050000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 716092398-0
                                                                                                                  • Opcode ID: cfb6f240175fb900bf23a27f3abf5803115efe22229684220d9596f8372d2e4d
                                                                                                                  • Instruction ID: 9ed47d5c653a0f92292be57bfc0e1473071e0a5d1a8abb0deaa103ac8dcf036d
                                                                                                                  • Opcode Fuzzy Hash: cfb6f240175fb900bf23a27f3abf5803115efe22229684220d9596f8372d2e4d
                                                                                                                  • Instruction Fuzzy Hash: C041CEB1D013489FDF14CF99C984ADEBFB5BF49314F24812AE819AB210D774A985CF90
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 016B54C8, Relevance: 1.6, APIs: 1, Instructions: 106registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • RegOpenKeyExW.KERNEL32(?,00000000,?,00000001,?), ref: 016B55CC
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.531779829.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: Open
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 71445658-0
                                                                                                                  • Opcode ID: 469492522c15d40d570098d9b4276d91b24ef752294fb2f5aabfe586db53ea0c
                                                                                                                  • Instruction ID: a810b1a1bd6ac775e718d16e657078ad83b4efea3e5dbb850b89ca45fd8df29e
                                                                                                                  • Opcode Fuzzy Hash: 469492522c15d40d570098d9b4276d91b24ef752294fb2f5aabfe586db53ea0c
                                                                                                                  • Instruction Fuzzy Hash: D74134B1E003498FDB01CFA8C584ADEBBF1AF48314F24C16AE409AB355DB749885CB90
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0305779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 03057F09
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.532322035.0000000003050000.00000040.00000001.sdmp, Offset: 03050000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: CallProcWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2714655100-0
                                                                                                                  • Opcode ID: ed80d11f9637d9ae9bae5b7e08aef771bf1c467721b4273a87e900a7c5f46510
                                                                                                                  • Instruction ID: 084354b31960d9056a9b202de90354371785bc4639a48fd5decf966dc0230803
                                                                                                                  • Opcode Fuzzy Hash: ed80d11f9637d9ae9bae5b7e08aef771bf1c467721b4273a87e900a7c5f46510
                                                                                                                  • Instruction Fuzzy Hash: D94128B5A013498FCB14CF99C488AABBBF5FB88714F148459E919AB321D774A841CFA0
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 016B5774, Relevance: 1.6, APIs: 1, Instructions: 96registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 016B5839
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.531779829.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: QueryValue
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3660427363-0
                                                                                                                  • Opcode ID: b7900620ca51a3ca05c80c9bdc8735c30108ebbc4c6187f4aabce7cafc615a57
                                                                                                                  • Instruction ID: 83942ec91dad8845651f39d3864eb27f410a212e5cd5d95f6d7621ba29a1a8df
                                                                                                                  • Opcode Fuzzy Hash: b7900620ca51a3ca05c80c9bdc8735c30108ebbc4c6187f4aabce7cafc615a57
                                                                                                                  • Instruction Fuzzy Hash: EE41E0B1D012589FDB10CFAAC984ADEBFF5AF48314F15802AE91AAB310D7759945CFA0
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 016B5780, Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 016B5839
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.531779829.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: QueryValue
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3660427363-0
                                                                                                                  • Opcode ID: 4b787925d098a4446c82b78de1d34fd3de23c3baf18835ae9f5a26d5a74bea75
                                                                                                                  • Instruction ID: 8ad4203b2be7f1a6d362ecd773994a59ae51c82f289856d0cfae5ddc6a6843e4
                                                                                                                  • Opcode Fuzzy Hash: 4b787925d098a4446c82b78de1d34fd3de23c3baf18835ae9f5a26d5a74bea75
                                                                                                                  • Instruction Fuzzy Hash: 9731DEB1D012589FDB10CF9AC984ADEBBF5BF48314F15802AE81AAB310D7749945CFA0
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0305C189, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 0305C212
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.532322035.0000000003050000.00000040.00000001.sdmp, Offset: 03050000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: EncodePointer
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2118026453-0
                                                                                                                  • Opcode ID: f10efa84d70b2b3579499757c06f1618b337650a61070c7cc619f9f585228c02
                                                                                                                  • Instruction ID: 967132808e239db811ff262330db5568ed4049c04b7a62b5ce05e4911ec8f53f
                                                                                                                  • Opcode Fuzzy Hash: f10efa84d70b2b3579499757c06f1618b337650a61070c7cc619f9f585228c02
                                                                                                                  • Instruction Fuzzy Hash: 2031D4B1C063888FEB20DFA9E54939EBFF4EB46314F18445AE848AB742D7795504CFA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 03056B63, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 03056BEF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.532322035.0000000003050000.00000040.00000001.sdmp, Offset: 03050000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DuplicateHandle
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3793708945-0
                                                                                                                  • Opcode ID: 3e3df7a771aac499dcd210bd4be499e55d6449409c4d0cb7a4d70936a04cc65a
                                                                                                                  • Instruction ID: d0f92fe10bb783033f73ad045cf3501ed90aa21d2455d5667422740b4ca980ba
                                                                                                                  • Opcode Fuzzy Hash: 3e3df7a771aac499dcd210bd4be499e55d6449409c4d0cb7a4d70936a04cc65a
                                                                                                                  • Instruction Fuzzy Hash: 3B21E2B5900249DFDB10CFA9D984AEEBBF4FB48324F14842AE914A7310D375A954CF61
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 03056B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 03056BEF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.532322035.0000000003050000.00000040.00000001.sdmp, Offset: 03050000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DuplicateHandle
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3793708945-0
                                                                                                                  • Opcode ID: bb2aa941bbad076bbf64213330c7ba49b53042388565165e90e9163ed2058757
                                                                                                                  • Instruction ID: 2b2a1f4c23028ea4943da772f4690ad8d4464e2651e78f90822b2e939988cedd
                                                                                                                  • Opcode Fuzzy Hash: bb2aa941bbad076bbf64213330c7ba49b53042388565165e90e9163ed2058757
                                                                                                                  • Instruction Fuzzy Hash: 0E21E2B59002489FDB10CFA9D984AEEFBF8EB48324F14841AE914A3310D374A944CFA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 016BD784, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,016BED2A), ref: 016BEE17
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.531779829.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: GlobalMemoryStatus
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1890195054-0
                                                                                                                  • Opcode ID: 86c3609967007584f3135b6eb99aed72a0d5820b5c2225c357e9eb8100776a64
                                                                                                                  • Instruction ID: 028e2b5708259f446fb7a386a5fdf73f37389150f64d8419897add6e366cfee5
                                                                                                                  • Opcode Fuzzy Hash: 86c3609967007584f3135b6eb99aed72a0d5820b5c2225c357e9eb8100776a64
                                                                                                                  • Instruction Fuzzy Hash: A01144B1C006599BCB00CF9AC884BEEFBF4EB48224F00852AE914B7240D378A945CFE1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0305C198, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 0305C212
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.532322035.0000000003050000.00000040.00000001.sdmp, Offset: 03050000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: EncodePointer
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2118026453-0
                                                                                                                  • Opcode ID: ca3de3a9c63326951de62832fc1d3fbe6ed13c1bcf22bc1b8107ac679c2923c9
                                                                                                                  • Instruction ID: 808866e014cef431d5b69a018e77823442ffd0eae5270dc60173b12e3ed7257f
                                                                                                                  • Opcode Fuzzy Hash: ca3de3a9c63326951de62832fc1d3fbe6ed13c1bcf22bc1b8107ac679c2923c9
                                                                                                                  • Instruction Fuzzy Hash: 2F116DB19023098FEB60DFA9D54879EBFF8EB49324F14842AE809A7641D7395944CFA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 03053300, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 03054116
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.532322035.0000000003050000.00000040.00000001.sdmp, Offset: 03050000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: HandleModule
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4139908857-0
                                                                                                                  • Opcode ID: 9d61315a58543a6b5802d9edb8fa591d923b9ee39dcd8669c6418387ff5bc5e6
                                                                                                                  • Instruction ID: a1a655dcaaf857b5ce7c46ab6df00a90fe095b942e9b830a3878fb787b01ac99
                                                                                                                  • Opcode Fuzzy Hash: 9d61315a58543a6b5802d9edb8fa591d923b9ee39dcd8669c6418387ff5bc5e6
                                                                                                                  • Instruction Fuzzy Hash: EE1134B2C002498FCB10CF9AC444BDFFBF4EB48224F14842AE829B7200D374A585CFA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 030540AC, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 03054116
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.532322035.0000000003050000.00000040.00000001.sdmp, Offset: 03050000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: HandleModule
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4139908857-0
                                                                                                                  • Opcode ID: 047f3890be6ab6dbf9dbdc76ba301d114524b246f50a233a5124e660526a7cf2
                                                                                                                  • Instruction ID: 0021c8d6700b66b25c063eaa3e54a09910e176d83112087cbce8e6762e5704b8
                                                                                                                  • Opcode Fuzzy Hash: 047f3890be6ab6dbf9dbdc76ba301d114524b246f50a233a5124e660526a7cf2
                                                                                                                  • Instruction Fuzzy Hash: 92110FB6C006498FCB10CF9AC544BDEFBF4AF48224F14841AD829B7600D778A589CFA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Non-executed Functions

                                                                                                                  Function 016B5911, Relevance: .1, Instructions: 62COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.531779829.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 3feb95d876e7c7e4d7104b34f196354d4d56ad1bb153fb89a97307e016409cd6
                                                                                                                  • Instruction ID: 92816475caf734924733a65c1ee42f2011069b88d726a88ce6edde6cc02a25b9
                                                                                                                  • Opcode Fuzzy Hash: 3feb95d876e7c7e4d7104b34f196354d4d56ad1bb153fb89a97307e016409cd6
                                                                                                                  • Instruction Fuzzy Hash: 9411E730B082858FD719E774C8A16AE3BB2DF87304F1540B9950ACF791DA348D46C752
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%