Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report ORDER.exe

Overview

General Information

Sample Name:ORDER.exe
Analysis ID:383969
MD5:351279e865038f0d4f1c34be92c5ffcf
SHA1:dd5ac844657d2351e686c593fc87a450381e3a89
SHA256:dd7f52fd623b7913c7494ecebae45a9b4dd843b5a363652e3ab92da9cdb3a691
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • ORDER.exe (PID: 5428 cmdline: 'C:\Users\user\Desktop\ORDER.exe' MD5: 351279E865038F0D4F1C34BE92C5FFCF)
    • schtasks.exe (PID: 240 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\uAtuTtfXv' /XML 'C:\Users\user\AppData\Local\Temp\tmp7391.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ORDER.exe (PID: 6052 cmdline: {path} MD5: 351279E865038F0D4F1C34BE92C5FFCF)
      • dw20.exe (PID: 6088 cmdline: dw20.exe -x -s 756 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "1422871978", "Chat URL": "https://api.telegram.org/bot1624300088:AAErstUTFyyeTcKqXZnnSnwnH27Dy-zCSTc/sendDocument"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.236134053.0000000003E01000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000006.00000002.249166242.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      Process Memory Space: ORDER.exe PID: 5428JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: ORDER.exe PID: 5428JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          Process Memory Space: ORDER.exe PID: 6052JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.ORDER.exe.4085d88.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              6.2.ORDER.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                1.2.ORDER.exe.40bbfa8.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.2.ORDER.exe.4085d88.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    1.2.ORDER.exe.3f9d948.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Scheduled temp file as task from temp locationShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\uAtuTtfXv' /XML 'C:\Users\user\AppData\Local\Temp\tmp7391.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\uAtuTtfXv' /XML 'C:\Users\user\AppData\Local\Temp\tmp7391.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\ORDER.exe' , ParentImage: C:\Users\user\Desktop\ORDER.exe, ParentProcessId: 5428, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\uAtuTtfXv' /XML 'C:\Users\user\AppData\Local\Temp\tmp7391.tmp', ProcessId: 240

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 6.2.ORDER.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1422871978", "Chat URL": "https://api.telegram.org/bot1624300088:AAErstUTFyyeTcKqXZnnSnwnH27Dy-zCSTc/sendDocument"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\uAtuTtfXv.exeReversingLabs: Detection: 27%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: ORDER.exeVirustotal: Detection: 38%Perma Link
                      Source: ORDER.exeReversingLabs: Detection: 27%
                      Source: 6.2.ORDER.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: ORDER.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\ORDER.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                      Source: ORDER.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: mscorrc.pdb source: ORDER.exe, 00000001.00000002.240910596.00000000071E0000.00000002.00000001.sdmp, ORDER.exe, 00000006.00000002.250157695.0000000004D80000.00000002.00000001.sdmp
                      Source: ORDER.exe, 00000001.00000003.213511591.00000000012FD000.00000004.00000001.sdmpString found in binary or memory: http://en.wDX
                      Source: ORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: ORDER.exe, 00000001.00000003.214219445.000000000533B000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com/
                      Source: ORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: ORDER.exe, 00000001.00000003.216441928.0000000005330000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: ORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: ORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: ORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: ORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: ORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: ORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: ORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: ORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: ORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: ORDER.exe, 00000001.00000003.220904273.0000000005329000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersR
                      Source: ORDER.exe, 00000001.00000003.234693220.0000000005320000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: ORDER.exe, 00000001.00000003.213937928.000000000533B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: ORDER.exe, 00000001.00000003.213958029.000000000533B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com-u
                      Source: ORDER.exe, 00000001.00000003.213937928.000000000533B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com4
                      Source: ORDER.exe, 00000001.00000003.213937928.000000000533B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comic
                      Source: ORDER.exe, 00000001.00000003.213984328.000000000533B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comn%
                      Source: ORDER.exe, 00000001.00000003.215985763.0000000005324000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.cl
                      Source: ORDER.exe, 00000001.00000003.216118395.000000000532B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: ORDER.exe, 00000001.00000003.215985763.0000000005324000.00000004.00000001.sdmp, ORDER.exe, 00000001.00000003.215719190.000000000535D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: ORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: ORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: ORDER.exe, 00000001.00000003.215719190.000000000535D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn2
                      Source: ORDER.exe, 00000001.00000003.215719190.000000000535D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnJ
                      Source: ORDER.exe, 00000001.00000003.215719190.000000000535D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl-sw
                      Source: ORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: ORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: ORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: ORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmp, ORDER.exe, 00000001.00000003.217614683.0000000005324000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: ORDER.exe, 00000001.00000003.217614683.0000000005324000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Gras
                      Source: ORDER.exe, 00000001.00000003.217614683.0000000005324000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Verd
                      Source: ORDER.exe, 00000001.00000003.217614683.0000000005324000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/VerdJ
                      Source: ORDER.exe, 00000001.00000003.217614683.0000000005324000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/W
                      Source: ORDER.exe, 00000001.00000003.217614683.0000000005324000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: ORDER.exe, 00000001.00000003.217614683.0000000005324000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/0
                      Source: ORDER.exe, 00000001.00000003.217614683.0000000005324000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/x
                      Source: ORDER.exe, 00000001.00000003.213978180.0000000005344000.00000004.00000001.sdmp, ORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: ORDER.exe, 00000001.00000003.213937928.000000000533B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com4
                      Source: ORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: ORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmp, ORDER.exe, 00000001.00000003.215056921.0000000005329000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: ORDER.exe, 00000001.00000003.215056921.0000000005329000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krtri
                      Source: ORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmp, ORDER.exe, 00000001.00000003.214219445.000000000533B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: ORDER.exe, 00000001.00000003.214191426.000000000533B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com3
                      Source: ORDER.exe, 00000001.00000003.214219445.000000000533B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comF
                      Source: ORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: ORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: ORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: ORDER.exe, 00000001.00000002.236134053.0000000003E01000.00000004.00000001.sdmp, ORDER.exe, 00000006.00000002.249166242.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1624300088:AAErstUTFyyeTcKqXZnnSnwnH27Dy-zCSTc/
                      Source: ORDER.exeString found in binary or memory: https://github.com/michel-pi/EasyBot.Net
                      Source: ORDER.exe, 00000001.00000002.236134053.0000000003E01000.00000004.00000001.sdmp, ORDER.exe, 00000006.00000002.249166242.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 6.2.ORDER.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b6DDA3EFAu002d4B94u002d45A4u002d8314u002dC206B63ABCA4u007d/FD4A8E35u002dA159u002d48C6u002dB730u002dD5C8C22BA113.csLarge array initialization: .cctor: array initializer size 12007
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: ORDER.exe
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_050025401_2_05002540
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_050001681_2_05000168
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_0500BDE81_2_0500BDE8
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_0500CCF81_2_0500CCF8
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_05002F581_2_05002F58
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_05004B881_2_05004B88
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_05001FE01_2_05001FE0
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_050042281_2_05004228
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_05005A481_2_05005A48
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_0500CA501_2_0500CA50
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_05003AE01_2_05003AE0
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_05002AEF1_2_05002AEF
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_050079081_2_05007908
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_050025301_2_05002530
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_050059491_2_05005949
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_05007D521_2_05007D52
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_050001581_2_05000158
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_050059D51_2_050059D5
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_0500BDDB1_2_0500BDDB
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_05008C971_2_05008C97
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_0500ACB81_2_0500ACB8
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_0500ACC81_2_0500ACC8
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_05008CD01_2_05008CD0
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_0500A0E81_2_0500A0E8
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_0500CCE81_2_0500CCE8
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_0500A0F81_2_0500A0F8
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_050078F91_2_050078F9
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_0500C7111_2_0500C711
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_050077281_2_05007728
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_050077381_2_05007738
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_05007B601_2_05007B60
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_05007B701_2_05007B70
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_050092091_2_05009209
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_05003A331_2_05003A33
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_05009A481_2_05009A48
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_050092501_2_05009250
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_050046AA1_2_050046AA
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_05009EAA1_2_05009EAA
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_05003AB51_2_05003AB5
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_0500A6C01_2_0500A6C0
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_0500A6C81_2_0500A6C8
                      Source: C:\Users\user\Desktop\ORDER.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 756
                      Source: ORDER.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: uAtuTtfXv.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: ORDER.exeBinary or memory string: OriginalFilename vs ORDER.exe
                      Source: ORDER.exe, 00000001.00000000.212574641.0000000000762000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamez! vs ORDER.exe
                      Source: ORDER.exe, 00000001.00000002.240647201.0000000006F70000.00000002.00000001.sdmpBinary or memory string: originalfilename vs ORDER.exe
                      Source: ORDER.exe, 00000001.00000002.240647201.0000000006F70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs ORDER.exe
                      Source: ORDER.exe, 00000001.00000002.236134053.0000000003E01000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs ORDER.exe
                      Source: ORDER.exe, 00000001.00000002.236134053.0000000003E01000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameztFsqdVrHZZUnwKBzrNwmgelgcKcSFZldwMyw.exe4 vs ORDER.exe
                      Source: ORDER.exe, 00000001.00000002.240910596.00000000071E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs ORDER.exe
                      Source: ORDER.exe, 00000001.00000002.240985351.00000000072B0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs ORDER.exe
                      Source: ORDER.exe, 00000001.00000002.240978420.0000000007290000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMetroFramework.dll> vs ORDER.exe
                      Source: ORDER.exeBinary or memory string: OriginalFilename vs ORDER.exe
                      Source: ORDER.exe, 00000006.00000000.234348930.0000000000512000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamez! vs ORDER.exe
                      Source: ORDER.exe, 00000006.00000002.250157695.0000000004D80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs ORDER.exe
                      Source: ORDER.exe, 00000006.00000002.249622939.0000000000BFA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs ORDER.exe
                      Source: ORDER.exe, 00000006.00000002.249166242.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameztFsqdVrHZZUnwKBzrNwmgelgcKcSFZldwMyw.exe4 vs ORDER.exe
                      Source: ORDER.exeBinary or memory string: OriginalFilenamez! vs ORDER.exe
                      Source: ORDER.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: ORDER.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: uAtuTtfXv.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 6.2.ORDER.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 6.2.ORDER.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@8/6@0/0
                      Source: C:\Users\user\Desktop\ORDER.exeFile created: C:\Users\user\AppData\Roaming\uAtuTtfXv.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6072:120:WilError_01
                      Source: C:\Users\user\Desktop\ORDER.exeFile created: C:\Users\user\AppData\Local\Temp\tmp7391.tmpJump to behavior
                      Source: ORDER.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\ORDER.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: ORDER.exeVirustotal: Detection: 38%
                      Source: ORDER.exeReversingLabs: Detection: 27%
                      Source: C:\Users\user\Desktop\ORDER.exeFile read: C:\Users\user\Desktop\ORDER.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\ORDER.exe 'C:\Users\user\Desktop\ORDER.exe'
                      Source: C:\Users\user\Desktop\ORDER.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\uAtuTtfXv' /XML 'C:\Users\user\AppData\Local\Temp\tmp7391.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\ORDER.exeProcess created: C:\Users\user\Desktop\ORDER.exe {path}
                      Source: C:\Users\user\Desktop\ORDER.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 756
                      Source: C:\Users\user\Desktop\ORDER.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\uAtuTtfXv' /XML 'C:\Users\user\AppData\Local\Temp\tmp7391.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess created: C:\Users\user\Desktop\ORDER.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 756Jump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                      Source: ORDER.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: C:\Users\user\Desktop\ORDER.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                      Source: ORDER.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: mscorrc.pdb source: ORDER.exe, 00000001.00000002.240910596.00000000071E0000.00000002.00000001.sdmp, ORDER.exe, 00000006.00000002.250157695.0000000004D80000.00000002.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)Show sources
                      Source: ORDER.exe, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: uAtuTtfXv.exe.1.dr, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: 1.2.ORDER.exe.760000.0.unpack, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: 1.0.ORDER.exe.760000.0.unpack, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: 6.0.ORDER.exe.510000.0.unpack, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: 6.2.ORDER.exe.510000.1.unpack, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_0500A5AC push ss; retf 1_2_0500A5B8
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_0500842C push esp; iretd 1_2_0500842D
                      Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_0500D3B8 push edx; iretd 1_2_0500D3BB
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.89896443713
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.89896443713
                      Source: C:\Users\user\Desktop\ORDER.exeFile created: C:\Users\user\AppData\Roaming\uAtuTtfXv.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\ORDER.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\uAtuTtfXv' /XML 'C:\Users\user\AppData\Local\Temp\tmp7391.tmp'
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: Process Memory Space: ORDER.exe PID: 5428, type: MEMORY
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: ORDER.exe, 00000001.00000002.241737239.0000000007572000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: ORDER.exe, 00000001.00000002.241737239.0000000007572000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\ORDER.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exe TID: 4688Thread sleep time: -31500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exe TID: 5080Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\ORDER.exeThread delayed: delay time: 31500Jump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: ORDER.exe, 00000001.00000002.241737239.0000000007572000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                      Source: ORDER.exe, 00000001.00000002.241737239.0000000007572000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: ORDER.exe, 00000001.00000002.241737239.0000000007572000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: ORDER.exe, 00000001.00000002.241737239.0000000007572000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: ORDER.exe, 00000001.00000002.241737239.0000000007572000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: ORDER.exe, 00000001.00000002.241737239.0000000007572000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: ORDER.exe, 00000001.00000002.241737239.0000000007572000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: ORDER.exe, 00000001.00000002.241737239.0000000007572000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: ORDER.exe, 00000001.00000002.241737239.0000000007572000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: C:\Users\user\Desktop\ORDER.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      .NET source code references suspicious native API functionsShow sources
                      Source: ORDER.exe, ImageManager/PInvoke/WinApi.csReference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
                      Source: uAtuTtfXv.exe.1.dr, ImageManager/PInvoke/WinApi.csReference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
                      Source: 1.2.ORDER.exe.760000.0.unpack, ImageManager/PInvoke/WinApi.csReference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
                      Source: 1.0.ORDER.exe.760000.0.unpack, ImageManager/PInvoke/WinApi.csReference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
                      Source: 6.0.ORDER.exe.510000.0.unpack, ImageManager/PInvoke/WinApi.csReference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
                      Source: 6.2.ORDER.exe.400000.0.unpack, A/b2.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                      Source: 6.2.ORDER.exe.510000.1.unpack, ImageManager/PInvoke/WinApi.csReference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\ORDER.exeMemory written: C:\Users\user\Desktop\ORDER.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\uAtuTtfXv' /XML 'C:\Users\user\AppData\Local\Temp\tmp7391.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess created: C:\Users\user\Desktop\ORDER.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 756Jump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000001.00000002.236134053.0000000003E01000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.249166242.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ORDER.exe PID: 5428, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ORDER.exe PID: 6052, type: MEMORY
                      Source: Yara matchFile source: 1.2.ORDER.exe.4085d88.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.ORDER.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.ORDER.exe.40bbfa8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.ORDER.exe.4085d88.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.ORDER.exe.3f9d948.3.raw.unpack, type: UNPACKEDPE

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000001.00000002.236134053.0000000003E01000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.249166242.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ORDER.exe PID: 5428, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ORDER.exe PID: 6052, type: MEMORY
                      Source: Yara matchFile source: 1.2.ORDER.exe.4085d88.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.ORDER.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.ORDER.exe.40bbfa8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.ORDER.exe.4085d88.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.ORDER.exe.3f9d948.3.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection111Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemoryVirtualization/Sandbox Evasion41Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion41Security Account ManagerRemote System Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection111NTDSFile and Directory Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery11SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      ORDER.exe39%VirustotalBrowse
                      ORDER.exe27%ReversingLabsWin32.Trojan.AgentTesla

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\uAtuTtfXv.exe27%ReversingLabsWin32.Trojan.AgentTesla

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      6.2.ORDER.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.founder.com.cn/cnJ0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.sajatypeworks.com40%Avira URL Cloudsafe
                      http://www.tiro.com30%Avira URL Cloudsafe
                      http://en.wDX0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/jp/00%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.comF0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Verd0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cnl-sw0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.fonts.comic0%URL Reputationsafe
                      http://www.fonts.comic0%URL Reputationsafe
                      http://www.fonts.comic0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.founder.cl0%Avira URL Cloudsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/W0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/W0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/W0%URL Reputationsafe
                      http://www.sandoll.co.krtri0%Avira URL Cloudsafe
                      http://www.fonts.comn%0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/Gras0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.fontbureau.coma0%URL Reputationsafe
                      http://www.fontbureau.coma0%URL Reputationsafe
                      http://www.fontbureau.coma0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/x0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/x0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/x0%URL Reputationsafe
                      http://www.founder.com.cn/cn20%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/VerdJ0%Avira URL Cloudsafe
                      http://www.fonts.com40%Avira URL Cloudsafe
                      http://www.fonts.com-u0%Avira URL Cloudsafe
                      http://fontfabrik.com/0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.fontbureau.com/designersGORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers/?ORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cnJORDER.exe, 00000001.00000003.215719190.000000000535D000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.founder.com.cn/cn/bTheORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.sajatypeworks.com4ORDER.exe, 00000001.00000003.213937928.000000000533B000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.tiro.com3ORDER.exe, 00000001.00000003.214191426.000000000533B000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://github.com/michel-pi/EasyBot.NetORDER.exefalse
                            		high
                            http://www.fontbureau.com/designers?ORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpfalse
                              		high
                              http://en.wDXORDER.exe, 00000001.00000003.213511591.00000000012FD000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/jp/0ORDER.exe, 00000001.00000003.217614683.0000000005324000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.tiro.comORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmp, ORDER.exe, 00000001.00000003.214219445.000000000533B000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpfalse
                                		high
                                http://www.tiro.comFORDER.exe, 00000001.00000003.214219445.000000000533B000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.goodfont.co.krORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comORDER.exe, 00000001.00000003.216441928.0000000005330000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/VerdORDER.exe, 00000001.00000003.217614683.0000000005324000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.founder.com.cn/cnl-swORDER.exe, 00000001.00000003.215719190.000000000535D000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designersRORDER.exe, 00000001.00000003.220904273.0000000005329000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.sajatypeworks.comORDER.exe, 00000001.00000003.213978180.0000000005344000.00000004.00000001.sdmp, ORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/cTheORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fonts.comicORDER.exe, 00000001.00000003.213937928.000000000533B000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleaseORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fonts.comORDER.exe, 00000001.00000003.213937928.000000000533B000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmp, ORDER.exe, 00000001.00000003.215056921.0000000005329000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.clORDER.exe, 00000001.00000003.215985763.0000000005324000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.urwpp.deDPleaseORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sakkal.comORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipORDER.exe, 00000001.00000002.236134053.0000000003E01000.00000004.00000001.sdmp, ORDER.exe, 00000006.00000002.249166242.0000000000402000.00000040.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.apache.org/licenses/LICENSE-2.0ORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.comORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.jiyu-kobo.co.jp/WORDER.exe, 00000001.00000003.217614683.0000000005324000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sandoll.co.krtriORDER.exe, 00000001.00000003.215056921.0000000005329000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fonts.comn%ORDER.exe, 00000001.00000003.213984328.000000000533B000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		low
                                        http://www.jiyu-kobo.co.jp/GrasORDER.exe, 00000001.00000003.217614683.0000000005324000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/jp/ORDER.exe, 00000001.00000003.217614683.0000000005324000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.comaORDER.exe, 00000001.00000003.234693220.0000000005320000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comlORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.founder.com.cn/cn/ORDER.exe, 00000001.00000003.215985763.0000000005324000.00000004.00000001.sdmp, ORDER.exe, 00000001.00000003.215719190.000000000535D000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/cabarga.htmlNORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cnORDER.exe, 00000001.00000003.216118395.000000000532B000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/xORDER.exe, 00000001.00000003.217614683.0000000005324000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/frere-jones.htmlORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cn2ORDER.exe, 00000001.00000003.215719190.000000000535D000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/ORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmp, ORDER.exe, 00000001.00000003.217614683.0000000005324000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers8ORDER.exe, 00000001.00000002.240280153.00000000065B2000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.jiyu-kobo.co.jp/VerdJORDER.exe, 00000001.00000003.217614683.0000000005324000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fonts.com4ORDER.exe, 00000001.00000003.213937928.000000000533B000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://api.telegram.org/bot1624300088:AAErstUTFyyeTcKqXZnnSnwnH27Dy-zCSTc/ORDER.exe, 00000001.00000002.236134053.0000000003E01000.00000004.00000001.sdmp, ORDER.exe, 00000006.00000002.249166242.0000000000402000.00000040.00000001.sdmpfalse
                                                		high
                                                http://www.fonts.com-uORDER.exe, 00000001.00000003.213958029.000000000533B000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://fontfabrik.com/ORDER.exe, 00000001.00000003.214219445.000000000533B000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown

                                                Contacted IPs

                                                No contacted IP infos

                                                General Information

                                                Joe Sandbox Version:31.0.0 Emerald
                                                Analysis ID:383969
                                                Start date:08.04.2021
                                                Start time:13:23:53
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 7m 55s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Sample file name:ORDER.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:31
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.evad.winEXE@8/6@0/0
                                                EGA Information:Failed
                                                HDC Information:Failed
                                                HCA Information:
                                                • Successful, ratio: 100%
                                                • Number of executed functions: 141
                                                • Number of non-executed functions: 21
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .exe
                                                Warnings:
                                                Show All
                                                • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                • Excluded IPs from analysis (whitelisted): 23.54.113.53, 40.88.32.150, 104.42.151.234, 52.147.198.201, 13.88.21.125, 95.100.54.203, 20.82.210.154, 23.10.249.43, 23.10.249.26, 23.0.174.185, 23.0.174.200, 20.54.26.129, 104.43.193.48, 52.255.188.83, 13.64.90.137
                                                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                13:24:51API Interceptor2x Sleep call for process: ORDER.exe modified
                                                13:25:02API Interceptor1x Sleep call for process: dw20.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                No context

                                                Domains

                                                No context

                                                ASN

                                                No context

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_ORDER.exe_a98c55928929b2832be98a97c3d2d245aa320_00000000_17f4f2e7\Report.wer
                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):10352
                                                Entropy (8bit):3.7755754040059637
                                                Encrypted:false
                                                SSDEEP:96:45de7TM1r0zmVzxWs5h5pXI/+BHUHZopAnQ0DFH2EmSonj+wdOyWnEeVc1F9ZQbk:8de7Y1DDHPaPLk9MK/u7sBS274Itf
                                                MD5:116DA349623C4F9A9371F060A59BD64F
                                                SHA1:3A0775340DE08C0FCE8071BAA82EB7B326CA3022
                                                SHA-256:AF1F8B4EE10A591BB8D4F747CA6E1CD89BC1A168E3BB63D823254F5A90BCF7A4
                                                SHA-512:7EF096F0DFC7EF3AA6089688D90F5B7F9237CC3B5A2B2AF84EC3F69E39BE9463DA2B88ACFF3C7FE535468AB0598A8B747C0E4E195E95EE7619DDED572D5838EF
                                                Malicious:true
                                                Reputation:low
                                                Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.2.3.8.7.0.9.6.2.8.8.4.6.9.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.2.3.8.7.0.9.6.5.8.5.3.4.3.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.d.5.b.1.4.8.9.-.8.9.c.a.-.4.7.1.c.-.a.7.4.0.-.e.8.6.1.b.8.3.5.4.e.7.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.z.!.6.M...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.a.4.-.0.0.0.1.-.0.0.1.7.-.e.0.3.3.-.b.4.3.c.b.5.2.c.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.d.c.0.0.9.5.f.0.4.3.7.9.9.2.b.9.2.4.5.8.7.3.5.4.a.2.7.3.8.d.3.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.5.a.c.8.4.4.6.5.7.d.2.3.5.1.e.6.8.6.c.5.9.3.f.c.8.7.a.4.5.0.3.8.1.e.3.a.8.9.!.O.R.D.E.R...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.4././.0.8.:.0.0.:.1.6.:.1.9.!.0.!.O.R.D.E.R...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC42.tmp.WERInternalMetadata.xml
                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):7562
                                                Entropy (8bit):3.7059056723496213
                                                Encrypted:false
                                                SSDEEP:192:Rrl7r3GLNiGE6cP16YsB6tgmfo4T8SxSCp14nU1f5fIm:RrlsNiV6cP16YS6tgmfNYSx74n+f5l
                                                MD5:E848DB5E053961AD80EAACCC55EE5082
                                                SHA1:D68D6385562D9EBB81387D7FAF15EA6606F55B1A
                                                SHA-256:6DB4D2B3E08CB21DE99126C18DF4363CED175DC30F5FA31F2DA679F3928283B9
                                                SHA-512:40F8D02882C049E14ABAB06D5E7BC44A9B2A2879E2165F63C9C1E678A2CC26AF1429D4EC0406AF315D15A70138E245844B43D381DC934EAED1680D6C8D8F5007
                                                Malicious:false
                                                Reputation:low
                                                Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.5.2.<./.P.i.d.>.......
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERDCE0.tmp.xml
                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4564
                                                Entropy (8bit):4.4884439745445075
                                                Encrypted:false
                                                SSDEEP:48:cvIwSD8zswJgtWI9YmWSC8Bc8fm8M4JFKffsJoFN+q8LJsDJCquud:uITf2fnSN7JFKXEsAJmJCquud
                                                MD5:4650AED76587B321F6B29D3D0355B0CA
                                                SHA1:F7F1369DCC1AA686097C0893C3C9A19E66687070
                                                SHA-256:11E3EF95D68B1E1441D982BB3FC6148E75D83458B904F4F4294A03925E1E8B3F
                                                SHA-512:4D891BA3A90458ED36C1FD162579AB641DA0C19BBD0760D469079CD8DED10BD76815C51098C4F9C7A1C461D3976F2C9FEB335B3283E4B88269FF144EDECDC191
                                                Malicious:false
                                                Reputation:low
                                                Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="937775" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\ORDER.exe.log
                                                Process:C:\Users\user\Desktop\ORDER.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):525
                                                Entropy (8bit):5.2874233355119316
                                                Encrypted:false
                                                SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                                MD5:61CCF53571C9ABA6511D696CB0D32E45
                                                SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                                SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                                SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                                Malicious:true
                                                Reputation:high, very likely benign file
                                                Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                                C:\Users\user\AppData\Local\Temp\tmp7391.tmp
                                                Process:C:\Users\user\Desktop\ORDER.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1642
                                                Entropy (8bit):5.185842204775607
                                                Encrypted:false
                                                SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBKtn:cbh47TlNQ//rydbz9I3YODOLNdq3C
                                                MD5:C30B598C6019BB98F01CD42F85E8E8D9
                                                SHA1:3BF8BEDC801D372BAF2278B9F148A80882D50D6E
                                                SHA-256:0D3DDFCC3AD50DDFCA495CC209EC58A1C4AC43CB2AA28DAC786F15F4D0517706
                                                SHA-512:EC98195FACD8B18DB899FDF69A2BDE59B211DF150F60DA6CC2FC707D69936B5F0F835960AD48B720B389FF2C495C638D53E8DB81CB839929029801D32C584618
                                                Malicious:true
                                                Reputation:low
                                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                C:\Users\user\AppData\Roaming\uAtuTtfXv.exe
                                                Process:C:\Users\user\Desktop\ORDER.exe
                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):945152
                                                Entropy (8bit):7.733393625247205
                                                Encrypted:false
                                                SSDEEP:12288:FKXy1c0w2iNJn+oHxDZ3jKV/JyZ3LNFyzGx+5BXdfwkiJ2eb9B5eSiyyjK:cP1r+Sxd3jgYZ3RczOYZ1wfUwId8
                                                MD5:351279E865038F0D4F1C34BE92C5FFCF
                                                SHA1:DD5AC844657D2351E686C593FC87A450381E3A89
                                                SHA-256:DD7F52FD623B7913C7494ECEBAE45A9B4DD843B5A363652E3AB92DA9CDB3A691
                                                SHA-512:04771F68BB7901FC9B56C0813BA11AC247208B1A0FBECAFCA175E3416CF4290B5254062479A94D14B939FE62539917ED4F7DD3D78AA4E9BEC80480239764A010
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 27%
                                                Reputation:low
                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...SKn`..............0..v............... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc...............j..............@..B.......................H.......................Y...:..........................................^..}.....(.......(.....*..*..0..+.........,..{.......+....,...{....o........(.....*..0................(....s......s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s ...}.....s!...}.....{....o".....{....o#.....(".....{.....o$.....{....o%...."...Bs&...o'...&.{....o%...."...Bs&...o'...&.{....o(....{......o).....{....o(....{......o).....{....o(....{......o).....{....o(....{......o).....{....o

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):7.733393625247205
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                • DOS Executable Generic (2002/1) 0.01%
                                                File name:ORDER.exe
                                                File size:945152
                                                MD5:351279e865038f0d4f1c34be92c5ffcf
                                                SHA1:dd5ac844657d2351e686c593fc87a450381e3a89
                                                SHA256:dd7f52fd623b7913c7494ecebae45a9b4dd843b5a363652e3ab92da9cdb3a691
                                                SHA512:04771f68bb7901fc9b56c0813ba11ac247208b1a0fbecafca175e3416cf4290b5254062479a94d14b939fe62539917ed4f7dd3d78aa4e9bec80480239764a010
                                                SSDEEP:12288:FKXy1c0w2iNJn+oHxDZ3jKV/JyZ3LNFyzGx+5BXdfwkiJ2eb9B5eSiyyjK:cP1r+Sxd3jgYZ3RczOYZ1wfUwId8
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...SKn`..............0..v............... ........@.. ....................................@................................

                                                File Icon

                                                Icon Hash:929296929e9e8eb2

                                                Static PE Info

                                                General

                                                Entrypoint:0x4b94fa
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                Time Stamp:0x606E4B53 [Thu Apr 8 00:16:19 2021 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:v2.0.50727
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                mov dword ptr [eax+4Eh], edx
                                                inc edi
                                                or eax, 000A1A0Ah
                                                add byte ptr [eax], al
                                                add byte ptr [ecx+45h], cl
                                                dec esi
                                                inc esp
                                                scasb
                                                inc edx
                                                pushad
                                                add byte ptr [eax], 00000000h
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xb94a80x4f.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xba0000x2f0ac.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xea0000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000xb75180xb7600False0.907054149625data7.89896443713IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .rsrc0xba0000x2f0ac0x2f200False0.362421253316data6.2421551019IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0xea0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_ICON0xba2b00x709ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                RT_ICON0xc13500x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 318767104, next used block 117440512
                                                RT_ICON0xd1b780x94a8data
                                                RT_ICON0xdb0200x5488data
                                                RT_ICON0xe04a80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 224, next used block 117440512
                                                RT_ICON0xe46d00x25a8data
                                                RT_ICON0xe6c780x10a8data
                                                RT_ICON0xe7d200x988data
                                                RT_ICON0xe86a80x468GLS_BINARY_LSB_FIRST
                                                RT_GROUP_ICON0xe8b100x84data
                                                RT_VERSION0xe8b940x32cdata
                                                RT_MANIFEST0xe8ec00x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Version Infos

                                                DescriptionData
                                                Translation0x0000 0x04b0
                                                LegalCopyrightCopyright 2018 - 2021
                                                Assembly Version3.1.0.5
                                                InternalNamezM.exe
                                                FileVersion3.1.0.5
                                                CompanyName
                                                LegalTrademarks
                                                Comments
                                                ProductNameImage Manager
                                                ProductVersion3.1.0.5
                                                FileDescriptionImage Manager
                                                OriginalFilenamezM.exe

                                                Network Behavior

                                                Network Port Distribution

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Apr 8, 2021 13:24:40.569474936 CEST5020053192.168.2.38.8.8.8
                                                Apr 8, 2021 13:24:40.588349104 CEST53502008.8.8.8192.168.2.3
                                                Apr 8, 2021 13:24:42.784682989 CEST5128153192.168.2.38.8.8.8
                                                Apr 8, 2021 13:24:42.797214031 CEST53512818.8.8.8192.168.2.3
                                                Apr 8, 2021 13:24:43.706543922 CEST4919953192.168.2.38.8.8.8
                                                Apr 8, 2021 13:24:43.718858004 CEST53491998.8.8.8192.168.2.3
                                                Apr 8, 2021 13:24:45.143517017 CEST5062053192.168.2.38.8.8.8
                                                Apr 8, 2021 13:24:45.156260014 CEST53506208.8.8.8192.168.2.3
                                                Apr 8, 2021 13:24:46.883788109 CEST6493853192.168.2.38.8.8.8
                                                Apr 8, 2021 13:24:46.896325111 CEST53649388.8.8.8192.168.2.3
                                                Apr 8, 2021 13:24:48.457182884 CEST6015253192.168.2.38.8.8.8
                                                Apr 8, 2021 13:24:48.469640017 CEST53601528.8.8.8192.168.2.3
                                                Apr 8, 2021 13:24:49.472404957 CEST5754453192.168.2.38.8.8.8
                                                Apr 8, 2021 13:24:49.488020897 CEST53575448.8.8.8192.168.2.3
                                                Apr 8, 2021 13:24:50.534167051 CEST5598453192.168.2.38.8.8.8
                                                Apr 8, 2021 13:24:50.550154924 CEST53559848.8.8.8192.168.2.3
                                                Apr 8, 2021 13:24:51.457585096 CEST6418553192.168.2.38.8.8.8
                                                Apr 8, 2021 13:24:51.471801996 CEST53641858.8.8.8192.168.2.3
                                                Apr 8, 2021 13:24:57.920488119 CEST6511053192.168.2.38.8.8.8
                                                Apr 8, 2021 13:24:57.933506966 CEST53651108.8.8.8192.168.2.3
                                                Apr 8, 2021 13:25:03.651426077 CEST5836153192.168.2.38.8.8.8
                                                Apr 8, 2021 13:25:03.664046049 CEST53583618.8.8.8192.168.2.3
                                                Apr 8, 2021 13:25:04.704349995 CEST6349253192.168.2.38.8.8.8
                                                Apr 8, 2021 13:25:04.719369888 CEST53634928.8.8.8192.168.2.3
                                                Apr 8, 2021 13:25:05.349138021 CEST6083153192.168.2.38.8.8.8
                                                Apr 8, 2021 13:25:05.362237930 CEST53608318.8.8.8192.168.2.3
                                                Apr 8, 2021 13:25:10.124577999 CEST6010053192.168.2.38.8.8.8
                                                Apr 8, 2021 13:25:10.173801899 CEST53601008.8.8.8192.168.2.3
                                                Apr 8, 2021 13:25:12.177082062 CEST5319553192.168.2.38.8.8.8
                                                Apr 8, 2021 13:25:12.189585924 CEST53531958.8.8.8192.168.2.3
                                                Apr 8, 2021 13:25:13.210030079 CEST5014153192.168.2.38.8.8.8
                                                Apr 8, 2021 13:25:13.222681999 CEST53501418.8.8.8192.168.2.3
                                                Apr 8, 2021 13:25:16.184787035 CEST5302353192.168.2.38.8.8.8
                                                Apr 8, 2021 13:25:16.196759939 CEST53530238.8.8.8192.168.2.3
                                                Apr 8, 2021 13:25:27.971662998 CEST4956353192.168.2.38.8.8.8
                                                Apr 8, 2021 13:25:27.990072966 CEST53495638.8.8.8192.168.2.3
                                                Apr 8, 2021 13:25:34.350477934 CEST5135253192.168.2.38.8.8.8
                                                Apr 8, 2021 13:25:34.369616032 CEST53513528.8.8.8192.168.2.3
                                                Apr 8, 2021 13:25:43.725986004 CEST5934953192.168.2.38.8.8.8
                                                Apr 8, 2021 13:25:43.751817942 CEST53593498.8.8.8192.168.2.3
                                                Apr 8, 2021 13:25:45.549663067 CEST5708453192.168.2.38.8.8.8
                                                Apr 8, 2021 13:25:45.561527014 CEST53570848.8.8.8192.168.2.3
                                                Apr 8, 2021 13:25:46.346766949 CEST5882353192.168.2.38.8.8.8
                                                Apr 8, 2021 13:25:46.359770060 CEST53588238.8.8.8192.168.2.3
                                                Apr 8, 2021 13:25:47.424964905 CEST5756853192.168.2.38.8.8.8
                                                Apr 8, 2021 13:25:47.436907053 CEST53575688.8.8.8192.168.2.3
                                                Apr 8, 2021 13:25:48.470308065 CEST5054053192.168.2.38.8.8.8
                                                Apr 8, 2021 13:25:48.482166052 CEST53505408.8.8.8192.168.2.3
                                                Apr 8, 2021 13:25:51.655776978 CEST5436653192.168.2.38.8.8.8
                                                Apr 8, 2021 13:25:51.668162107 CEST53543668.8.8.8192.168.2.3
                                                Apr 8, 2021 13:25:55.663841963 CEST5303453192.168.2.38.8.8.8
                                                Apr 8, 2021 13:25:55.681936979 CEST53530348.8.8.8192.168.2.3
                                                Apr 8, 2021 13:26:26.452462912 CEST5776253192.168.2.38.8.8.8
                                                Apr 8, 2021 13:26:26.471427917 CEST53577628.8.8.8192.168.2.3
                                                Apr 8, 2021 13:26:28.661109924 CEST5543553192.168.2.38.8.8.8
                                                Apr 8, 2021 13:26:28.687755108 CEST53554358.8.8.8192.168.2.3

                                                Code Manipulations

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                Analysis Process: ORDER.exe PID: 5428 Parent PID: 5696

                                                General

                                                Start time:13:24:44
                                                Start date:08/04/2021
                                                Path:C:\Users\user\Desktop\ORDER.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\Desktop\ORDER.exe'
                                                Imagebase:0x760000
                                                File size:945152 bytes
                                                MD5 hash:351279E865038F0D4F1C34BE92C5FFCF
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.236134053.0000000003E01000.00000004.00000001.sdmp, Author: Joe Security
                                                Reputation:low

                                                Chronological Activities

                                                Analysis Process: schtasks.exe PID: 240 Parent PID: 5428

                                                General

                                                Start time:13:24:54
                                                Start date:08/04/2021
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\uAtuTtfXv' /XML 'C:\Users\user\AppData\Local\Temp\tmp7391.tmp'
                                                Imagebase:0x8f0000
                                                File size:185856 bytes
                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: conhost.exe PID: 6072 Parent PID: 240

                                                General

                                                Start time:13:24:54
                                                Start date:08/04/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6b2800000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: ORDER.exe PID: 6052 Parent PID: 5428

                                                General

                                                Start time:13:24:55
                                                Start date:08/04/2021
                                                Path:C:\Users\user\Desktop\ORDER.exe
                                                Wow64 process (32bit):true
                                                Commandline:{path}
                                                Imagebase:0x510000
                                                File size:945152 bytes
                                                MD5 hash:351279E865038F0D4F1C34BE92C5FFCF
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.249166242.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                Reputation:low

                                                Chronological Activities

                                                Analysis Process: dw20.exe PID: 6088 Parent PID: 6052

                                                General

                                                Start time:13:24:55
                                                Start date:08/04/2021
                                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                Wow64 process (32bit):true
                                                Commandline:dw20.exe -x -s 756
                                                Imagebase:0x10000000
                                                File size:33936 bytes
                                                MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Chronological Activities

                                                Disassembly

                                                Code Analysis

                                                Reset < >

                                                  Analysis Process: ORDER.exe PID: 5428 Parent PID: 5696 ORDER.exeCOMMON

                                                  Executed Functions

                                                  Function 05000158, Relevance: 3.0, Strings: 1, Instructions: 1782COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: `w1q
                                                  • API String ID: 0-2860716242
                                                  • Opcode ID: 1abebaf968e47e80e09b39d666766202ac6adcf6d5a601ff732c1f39bfd495cb
                                                  • Instruction ID: 2abbf380338c1034120c81f8c46766657aef17a925d3adef55cb03056090e534
                                                  • Opcode Fuzzy Hash: 1abebaf968e47e80e09b39d666766202ac6adcf6d5a601ff732c1f39bfd495cb
                                                  • Instruction Fuzzy Hash: 4203A034A01219DFDB65DB24C994BEDB7B2BF89301F5141EAD909AB360CB31AE85CF41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05000168, Relevance: 3.0, Strings: 1, Instructions: 1780COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: `w1q
                                                  • API String ID: 0-2860716242
                                                  • Opcode ID: 1400c4144efe4c2f9650cd574a1011ea18c6311752b9cbc02436a5eab6ccdbd0
                                                  • Instruction ID: f1335f27a3c769b8253cb6f99d0173ca57e776bfe6a5d50c13bed6d8f0981443
                                                  • Opcode Fuzzy Hash: 1400c4144efe4c2f9650cd574a1011ea18c6311752b9cbc02436a5eab6ccdbd0
                                                  • Instruction Fuzzy Hash: BF03AF34A01219DFDB65DB24C994BEDB7B2BF89301F5141EAD909AB360CB31AE85CF41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500BDDB, Relevance: 2.7, Strings: 2, Instructions: 167COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: :@Dr$9PG
                                                  • API String ID: 0-2317716240
                                                  • Opcode ID: 78b1d5f9d3548d6d0605f35593340e48c9f67b8f5a27501a83bcff274361edec
                                                  • Instruction ID: 994e11878d0ad985f2ea7d845c7e773d7f9a5994cb2f73e62360a4e2ffc3b2ef
                                                  • Opcode Fuzzy Hash: 78b1d5f9d3548d6d0605f35593340e48c9f67b8f5a27501a83bcff274361edec
                                                  • Instruction Fuzzy Hash: 5271C4B4E01248DFDF14DFA4E5589ADBBB2FF89314F20906AD409AB358EB345A42CF54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500BDE8, Relevance: 2.7, Strings: 2, Instructions: 164COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: :@Dr$9PG
                                                  • API String ID: 0-2317716240
                                                  • Opcode ID: 9a6b87611cc701142da6c5346f0737475d39ee8d0c29a9b88615dc1628ec0549
                                                  • Instruction ID: 882ecf5001ac2fef4f38dae62787abd78f4261c7c7c19293c68eeb14ff2e9d82
                                                  • Opcode Fuzzy Hash: 9a6b87611cc701142da6c5346f0737475d39ee8d0c29a9b88615dc1628ec0549
                                                  • Instruction Fuzzy Hash: 3C7191B4E01248DFDF14DFA4E5589AEBBB2FF88314F209429D41AAB358EB345A41CF54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05005949, Relevance: 1.6, Strings: 1, Instructions: 357COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ;DU
                                                  • API String ID: 0-4209818895
                                                  • Opcode ID: bb0bb00e3293c6d4015ace079dfa5ad80facb1d3c62c23f9a9b0293f6cc35fe9
                                                  • Instruction ID: 3118ca46fcbe3bac073cf815f67f3dff8d93e66923b155c6eb72a8403de9981a
                                                  • Opcode Fuzzy Hash: bb0bb00e3293c6d4015ace079dfa5ad80facb1d3c62c23f9a9b0293f6cc35fe9
                                                  • Instruction Fuzzy Hash: 7EE1CF7091A245DFDB04CFA0E9958AEFFF2FF4A300F14A58AD401AB285D7349A45CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 050059D5, Relevance: 1.6, Strings: 1, Instructions: 300COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ;DU
                                                  • API String ID: 0-4209818895
                                                  • Opcode ID: fec656011ad3c03b5ffa9a74a0a8df9e739bf3d28a339498197ee5b311b28299
                                                  • Instruction ID: 68d462519c70cabec94240e4d6c25d31a3e73e16bda6405bd45281c6089f223a
                                                  • Opcode Fuzzy Hash: fec656011ad3c03b5ffa9a74a0a8df9e739bf3d28a339498197ee5b311b28299
                                                  • Instruction Fuzzy Hash: DDD18E7090521ADFDB14CFA4E9848AEFBF2FF4A300F24A556C401AB295D734AA41CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05005A48, Relevance: 1.5, Strings: 1, Instructions: 269COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ;DU
                                                  • API String ID: 0-4209818895
                                                  • Opcode ID: e1e3b0719c64b538c919773e0d956fad78b8f0d2cc7fba9dc8cadd456f2d3e3f
                                                  • Instruction ID: 63f7c2095d735b2cb5706ac66e716e18074a5151a78629326e448360f4c0229e
                                                  • Opcode Fuzzy Hash: e1e3b0719c64b538c919773e0d956fad78b8f0d2cc7fba9dc8cadd456f2d3e3f
                                                  • Instruction Fuzzy Hash: 67C1277090521ADFDB14CFA4E9848AEFBF6FF49340F24A556C402AB254D730AA81CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500CCF8, Relevance: 1.5, Strings: 1, Instructions: 215COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: X1kr
                                                  • API String ID: 0-844551562
                                                  • Opcode ID: 5b8003241e2af84feec78c832055cd360289eb17d7d5930b995847465e68a2ff
                                                  • Instruction ID: edafab728c0615566c2539faed6bb0d1986fa099db26472ac095faf2857cf5ab
                                                  • Opcode Fuzzy Hash: 5b8003241e2af84feec78c832055cd360289eb17d7d5930b995847465e68a2ff
                                                  • Instruction Fuzzy Hash: 83A10974E012298FDB64DF65DD487EDBBF2BB88300F1095EA950DA7294EB305A85CF40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05001FE0, Relevance: 1.4, Strings: 1, Instructions: 167COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: X1kr
                                                  • API String ID: 0-844551562
                                                  • Opcode ID: 0d4d00b22dbdd688f0c15d82488e869d2de434a52a3d67c6053f80825742283b
                                                  • Instruction ID: 018f6fb92c46b0d7fd2bec0d1306f661e04b23f06f28141151fc0ab3eeb7463d
                                                  • Opcode Fuzzy Hash: 0d4d00b22dbdd688f0c15d82488e869d2de434a52a3d67c6053f80825742283b
                                                  • Instruction Fuzzy Hash: 7971BE74E00218DFDB18DFAAD984AADBBF2FF88304F24816AD919AB355DB315941CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05002530, Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: X1kr
                                                  • API String ID: 0-844551562
                                                  • Opcode ID: a2fbf73d886f0574270e8e1568030a47cd43f7f008d1c177dbca3ced0778eb5a
                                                  • Instruction ID: ab5e80746f118344f01b431b386ef04d754e962d1491c1b1d60adb043b1c726d
                                                  • Opcode Fuzzy Hash: a2fbf73d886f0574270e8e1568030a47cd43f7f008d1c177dbca3ced0778eb5a
                                                  • Instruction Fuzzy Hash: 1E51B474E00258DFDB48DFAAD954AAEBBF2BF98300F24C16AD509AB254DB315941CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05002540, Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: X1kr
                                                  • API String ID: 0-844551562
                                                  • Opcode ID: 504a2af102becd6f96dcd26c41e919d8944647d5ca006c22e58c816f2643bed2
                                                  • Instruction ID: ee82eb3498bb4a10feb359b8147da594a41a75fbb404edc6844e8a38a9679cae
                                                  • Opcode Fuzzy Hash: 504a2af102becd6f96dcd26c41e919d8944647d5ca006c22e58c816f2643bed2
                                                  • Instruction Fuzzy Hash: 295182B4E012199FDB48DFAAD954AAEBBF2BF88300F24C12AD509AB254DB315941CF54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05003A33, Relevance: .2, Instructions: 219COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 66078c618ecd33ebebbf5ac05cd984669572f446fe0ac765cc9f25ef1cc77d6b
                                                  • Instruction ID: ba02cae89d2bdcfa4af94801d0b9e1ee5ab321dd832044823a897714499adbea
                                                  • Opcode Fuzzy Hash: 66078c618ecd33ebebbf5ac05cd984669572f446fe0ac765cc9f25ef1cc77d6b
                                                  • Instruction Fuzzy Hash: FF916770D05249DFDB05CFA5D891AEEBFB2FF89300F14986AD405AB291DB389A46CF10
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05003AB5, Relevance: .2, Instructions: 184COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dc75ddd6a1fc224560629eceb988722dd0ebe55cfe700352254f70d8212ed05a
                                                  • Instruction ID: bc40105f4bced946ceb27b8f9dd10f048ecbb70dd54d31a8ccda7f2bed8fd5a7
                                                  • Opcode Fuzzy Hash: dc75ddd6a1fc224560629eceb988722dd0ebe55cfe700352254f70d8212ed05a
                                                  • Instruction Fuzzy Hash: 3E811270E05209DFDB05CFA5D894AEEBBB2FF89304F10946AD516BB294DB349A42CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05003AE0, Relevance: .2, Instructions: 175COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 15e9566ddbcbe7919a4d911f53e3ad1899c1ff68e3eb6f8236a726888a8d1fec
                                                  • Instruction ID: 3d361b4133cceebc0681de4312b45e8e2975a63ba0f08526ede3c06747142457
                                                  • Opcode Fuzzy Hash: 15e9566ddbcbe7919a4d911f53e3ad1899c1ff68e3eb6f8236a726888a8d1fec
                                                  • Instruction Fuzzy Hash: 6781F170E04209DFDB04DFA5D884AEEBBB2FF89300F10952AD516BB294DB349A42CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500CA50, Relevance: .2, Instructions: 169COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 11b22072c86a2a754806b9928f99e8d15072b15561d3a6b73e6abf31e50e76ad
                                                  • Instruction ID: e0b5d44ce4ba83d02f7a29f4def2b88f23f68215c51afa3175dcd0b6b7a7de18
                                                  • Opcode Fuzzy Hash: 11b22072c86a2a754806b9928f99e8d15072b15561d3a6b73e6abf31e50e76ad
                                                  • Instruction Fuzzy Hash: 346148B0D15219EFEB44CFE5E980AEDFFB1FB49324F14A52AE005A7294D73449458F14
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05004228, Relevance: .1, Instructions: 144COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 750436209d157689ea22fef2506c1cfb3f7ed49f467698dfffed3e1999af96d4
                                                  • Instruction ID: 08be680f80105cb3882bfe3ced2e6b494aaf6ef989f134979c2d52b5b758943b
                                                  • Opcode Fuzzy Hash: 750436209d157689ea22fef2506c1cfb3f7ed49f467698dfffed3e1999af96d4
                                                  • Instruction Fuzzy Hash: 48512D70E0824ADFDF08CFA6D4445AEFBF2EB89310F14E46AC515A7294D7349A41CF98
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05002AEF, Relevance: .1, Instructions: 137COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 303da16cdc9aacdc2082c3abc8d1b283bfb3f89e5a815e35a6754d1c6334f402
                                                  • Instruction ID: 240af1a771816293a957fb7b4a6c911b9ff795dda4be3295a9939442c57ce5e4
                                                  • Opcode Fuzzy Hash: 303da16cdc9aacdc2082c3abc8d1b283bfb3f89e5a815e35a6754d1c6334f402
                                                  • Instruction Fuzzy Hash: 455114B4E042599FDB04DFA9D4849EDFBF2BF89310F18D5AAD814AB255C7309A81CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500CCE8, Relevance: .1, Instructions: 135COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f92b4702a31b005a972eb1c8c1242ce1bf1f6eac92ae0bfeea75e3192330e239
                                                  • Instruction ID: 1c2debe5796f812239f12578a999441ac760e8d323420f34ed47356070336034
                                                  • Opcode Fuzzy Hash: f92b4702a31b005a972eb1c8c1242ce1bf1f6eac92ae0bfeea75e3192330e239
                                                  • Instruction Fuzzy Hash: A4510B70E406198FEB68CF65DD457EEFBF2BB88300F1084EA954DA6294EB305A85CF00
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05002F58, Relevance: .1, Instructions: 123COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 93c502d0d8c5c8bf3777e7bc22870d9233130ec62926a447173ebf08c2a8ecea
                                                  • Instruction ID: fe5d91be2d83317e91b6cc15b0b5d8262a74a4e199c9e2b586b67d8fb627050b
                                                  • Opcode Fuzzy Hash: 93c502d0d8c5c8bf3777e7bc22870d9233130ec62926a447173ebf08c2a8ecea
                                                  • Instruction Fuzzy Hash: 9D514B70E012599FDB54DF6AD880AAEFBF3BF89300F14D1AAD408AB255DB305986CF51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05004B88, Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f7b3556e9e7c10571b44058830c6ddba137f40a5dcbf5e5fdf9bfd08281a2f48
                                                  • Instruction ID: 41e90d7577456fdd74e0a129016b940774b43612ae0a162f39679041156a7780
                                                  • Opcode Fuzzy Hash: f7b3556e9e7c10571b44058830c6ddba137f40a5dcbf5e5fdf9bfd08281a2f48
                                                  • Instruction Fuzzy Hash: EC31FBB1E006188FEB18CFAAD8546DEBBF3BFC9310F14C06AD509AA264DB355A45CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05002798, Relevance: 7.7, Strings: 6, Instructions: 225COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $$,:kr$,:kr$,:kr$,:kr$</kr
                                                  • API String ID: 0-3525831898
                                                  • Opcode ID: e8c3d4af36d1f1de95df53b82fed128361f63be134de3720b4c6519a55587447
                                                  • Instruction ID: 22f21885f7603570bddc3f9145f8df3a0ff79c8b3587396d0fb0d4fd12688271
                                                  • Opcode Fuzzy Hash: e8c3d4af36d1f1de95df53b82fed128361f63be134de3720b4c6519a55587447
                                                  • Instruction Fuzzy Hash: D7A10874E01229CFDB65CFA5C944BDDBBB2BF89304F1481DAD508AB291DB309A85CF51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500BE1B, Relevance: 2.6, Strings: 2, Instructions: 145COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: :@Dr$9PG
                                                  • API String ID: 0-2317716240
                                                  • Opcode ID: 8dc938162eaa8f776b9ca6b45ed9e00e66625516a52bba7f0c43ebaf77297202
                                                  • Instruction ID: 985e7f59a9f0171cb3a957a96f0fc91a3bdda311d95d14d3fff691c3aefdde92
                                                  • Opcode Fuzzy Hash: 8dc938162eaa8f776b9ca6b45ed9e00e66625516a52bba7f0c43ebaf77297202
                                                  • Instruction Fuzzy Hash: 2A6191B4E01248DFDF14DFA4E5589ADBBB2FB88314F209429D41AAB358EB345A41CF54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500BCC9, Relevance: 2.6, Strings: 2, Instructions: 133COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: :@Dr$9PG
                                                  • API String ID: 0-2317716240
                                                  • Opcode ID: bef7e3be768a2cc53d34f12155edfe3fcd97fe564870e86f5ca84f7478ec75a1
                                                  • Instruction ID: ff90f37128d2f3f5bad7360fec48e3abb9273ace9cb24bc4b06b62264cbd74c4
                                                  • Opcode Fuzzy Hash: bef7e3be768a2cc53d34f12155edfe3fcd97fe564870e86f5ca84f7478ec75a1
                                                  • Instruction Fuzzy Hash: 7D51C3B4E00248DFDF14DFA4D5589AEBBB2FF89314F209029D41AAB398DA345E42CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500CF26, Relevance: 2.6, Strings: 2, Instructions: 107COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: !t8u$!t8u
                                                  • API String ID: 0-3544044088
                                                  • Opcode ID: 30340f66e44c8920f3ebf15c68b8e39b08d948c25ece299f448af4998da0cca0
                                                  • Instruction ID: cf0ea9a5fbf093941bcb60431e84de89ded20ab2cb6a3386919657dfb1a5116e
                                                  • Opcode Fuzzy Hash: 30340f66e44c8920f3ebf15c68b8e39b08d948c25ece299f448af4998da0cca0
                                                  • Instruction Fuzzy Hash: 68510974D4022A8FEB74CF64D945BEDBBB1BB48300F1094EAD61DAA294EB705E85CF04
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 07251303, Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,00000E2C), ref: 072513B3
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.240971468.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 87c38f35bbc797bdf67287121be4072397eac82210058b7cf24a1c8b0775676a
                                                  • Instruction ID: 2741e31e30c101de019daba97cc1e0534e1f5b992e87603d7b6c85513061198f
                                                  • Opcode Fuzzy Hash: 87c38f35bbc797bdf67287121be4072397eac82210058b7cf24a1c8b0775676a
                                                  • Instruction Fuzzy Hash: 0731D471404384AFE7228B25DC44F67BFACEF06310F0484ABE985CB152D324A819CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 07250C8A, Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTokenInformation.KERNELBASE(?,00000E2C,8A8FB3BC,00000000,00000000,00000000,00000000), ref: 07250D34
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.240971468.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false
                                                  Similarity
                                                  • API ID: InformationToken
                                                  • String ID:
                                                  • API String ID: 4114910276-0
                                                  • Opcode ID: 1f862653e1ff3496083a6bf0eab2d7f0066b633817592081923dad5bc84a42b0
                                                  • Instruction ID: dfafd74f6d74fbe9021d341ac16049e0fbc1485c35382fa4e80134776b486716
                                                  • Opcode Fuzzy Hash: 1f862653e1ff3496083a6bf0eab2d7f0066b633817592081923dad5bc84a42b0
                                                  • Instruction Fuzzy Hash: 2731C472409785AFEB228F65DC45F97BFB8EF06310F08849BE9849B163D234A909C771
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 012DAC22, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 012DACD1
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.235463363.00000000012DA000.00000040.00000001.sdmp, Offset: 012DA000, based on PE: false
                                                  Similarity
                                                  • API ID: Open
                                                  • String ID:
                                                  • API String ID: 71445658-0
                                                  • Opcode ID: 6872aed4b3bce3f4cc0eec87cc96ab0f01fcdaafbd5b5f31705eb9a8fb67ef8b
                                                  • Instruction ID: f9c906e9d97e2cf1d94909da7ee491661824758848297f7fd713c5a483bc47fb
                                                  • Opcode Fuzzy Hash: 6872aed4b3bce3f4cc0eec87cc96ab0f01fcdaafbd5b5f31705eb9a8fb67ef8b
                                                  • Instruction Fuzzy Hash: 9931B472544384AFE7228B25CC45F67BFBCEF06710F0884ABEE859B152D265A809CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0725076C, Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0725080D
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.240971468.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: 6272ff6ea55af7700f0bda070dec52de07fea65bad9e943688406e5cbdcfd0d0
                                                  • Instruction ID: d4600616dae431703168f796e90a8a2b05e1b01e66cb836d981736e88ed6939c
                                                  • Opcode Fuzzy Hash: 6272ff6ea55af7700f0bda070dec52de07fea65bad9e943688406e5cbdcfd0d0
                                                  • Instruction Fuzzy Hash: 68316BB1504340AFE722CB65CC44F66BFE8EF45610F0884AEED858B252D375E809CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 012DAD19, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryValueExW.KERNELBASE(?,00000E2C,8A8FB3BC,00000000,00000000,00000000,00000000), ref: 012DADD4
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.235463363.00000000012DA000.00000040.00000001.sdmp, Offset: 012DA000, based on PE: false
                                                  Similarity
                                                  • API ID: QueryValue
                                                  • String ID:
                                                  • API String ID: 3660427363-0
                                                  • Opcode ID: a578aa5727add91d70e94a5046e5b394299669afb70af9bf6ac5b2d68a7cb56f
                                                  • Instruction ID: f39e4055b40512307648d4ade38abc9ceeaafe3deeba4e172875a0544ed487ba
                                                  • Opcode Fuzzy Hash: a578aa5727add91d70e94a5046e5b394299669afb70af9bf6ac5b2d68a7cb56f
                                                  • Instruction Fuzzy Hash: D631A471509384AFE722CB25CC45F92BFF8EF06310F18849AEA85CB253D264E549CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 07250F23, Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 07250FBF
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.240971468.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false
                                                  Similarity
                                                  • API ID: OpenPolicy
                                                  • String ID:
                                                  • API String ID: 2030686058-0
                                                  • Opcode ID: 2fd6f66c741cdd171a817d0dfb9347a9e975714570dc8f76bfb3e9557932fd85
                                                  • Instruction ID: 3d6e7bf74c3987e04611db23235fb307e2d9b60dff209bb3683f03f737a4ae2e
                                                  • Opcode Fuzzy Hash: 2fd6f66c741cdd171a817d0dfb9347a9e975714570dc8f76bfb3e9557932fd85
                                                  • Instruction Fuzzy Hash: 0E21A272504384AFE721DF65DC84F66FFA8EF45310F18889AED849B252D235A808CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 07251336, Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,00000E2C), ref: 072513B3
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.240971468.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: c3e689df75b5096b6bb891cecf123f594904b5054ee27cd985f766b3646c3a37
                                                  • Instruction ID: e571471194de6aa7aa38440eaa75150f72ad766db95b8a43efe3a3a9ebfc1a21
                                                  • Opcode Fuzzy Hash: c3e689df75b5096b6bb891cecf123f594904b5054ee27cd985f766b3646c3a37
                                                  • Instruction Fuzzy Hash: FD21CFB2500309AFEB219F65DC84F6BFBECEF04320F14886AEE459B651D670A4198B71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 012DA2AC, Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 012DA346
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.235463363.00000000012DA000.00000040.00000001.sdmp, Offset: 012DA000, based on PE: false
                                                  Similarity
                                                  • API ID: ConsoleCtrlHandler
                                                  • String ID:
                                                  • API String ID: 1513847179-0
                                                  • Opcode ID: d0eac795002060d8509072bc886b3385b76d2c84afa438eb391827c33341ba82
                                                  • Instruction ID: 39c1dcbbc5377ceb58022aaaf0fd294c35540227f37a5f5c831aa294de010043
                                                  • Opcode Fuzzy Hash: d0eac795002060d8509072bc886b3385b76d2c84afa438eb391827c33341ba82
                                                  • Instruction Fuzzy Hash: 7721A47144D3C06FD3138B259C51B22BFB4EF87610F0981DBE884CB653D225A919C7B2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0725078E, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0725080D
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.240971468.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: b814930939a217ce13f6f3a9fb16cd6365ba1ce2d3ebc3f7219b2340590bbe86
                                                  • Instruction ID: d2c5618227692820f516af43c96a12d89c7afadf36192df18ca7eab490a983c2
                                                  • Opcode Fuzzy Hash: b814930939a217ce13f6f3a9fb16cd6365ba1ce2d3ebc3f7219b2340590bbe86
                                                  • Instruction Fuzzy Hash: B62169B1510601AFE721DF65CD88F66FBE8EF08710F14846AEE898B651D371E808CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 07251411, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DeleteFileW.KERNELBASE(?), ref: 07251498
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.240971468.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false
                                                  Similarity
                                                  • API ID: DeleteFile
                                                  • String ID:
                                                  • API String ID: 4033686569-0
                                                  • Opcode ID: c6024139009f68fba564202bafb2f37dcb897174510b8b971941502df59d486d
                                                  • Instruction ID: 60883cd50e63f95211001b949d96621e6534a3bfe65b8343f63fe606942cfa05
                                                  • Opcode Fuzzy Hash: c6024139009f68fba564202bafb2f37dcb897174510b8b971941502df59d486d
                                                  • Instruction Fuzzy Hash: 632190B25093C59FDB12CB25DC55B92BFB4EF07210F0984DADD848F263D275A908CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 012DAC52, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 012DACD1
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.235463363.00000000012DA000.00000040.00000001.sdmp, Offset: 012DA000, based on PE: false
                                                  Similarity
                                                  • API ID: Open
                                                  • String ID:
                                                  • API String ID: 71445658-0
                                                  • Opcode ID: 35f1aaf6a0eec29b1077450c595f35fbbba79f61b8514ca30cde2047c8cb5bee
                                                  • Instruction ID: bc326a28c415c95174daad4ae2fb6ae6898829951916b3967740f91446b241c7
                                                  • Opcode Fuzzy Hash: 35f1aaf6a0eec29b1077450c595f35fbbba79f61b8514ca30cde2047c8cb5bee
                                                  • Instruction Fuzzy Hash: 2221C072500704AFE7219F69DC85F6BFBECEF08720F14846BEE459B241D664E9088BB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0725091F, Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileType.KERNELBASE(?,00000E2C,8A8FB3BC,00000000,00000000,00000000,00000000), ref: 072509A5
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.240971468.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false
                                                  Similarity
                                                  • API ID: FileType
                                                  • String ID:
                                                  • API String ID: 3081899298-0
                                                  • Opcode ID: 0e0d2aeb0ac94c61a97de301d289b71ac2a1b9bcb122f65b5ecbf37d0af65690
                                                  • Instruction ID: e8e85f1e84bc4450a27fa5aab9b0e728bbebdab8a500556d2f69e2155d765870
                                                  • Opcode Fuzzy Hash: 0e0d2aeb0ac94c61a97de301d289b71ac2a1b9bcb122f65b5ecbf37d0af65690
                                                  • Instruction Fuzzy Hash: F821D8B64483846FE7128B25DC40FA2BFA8DF47710F1880DBED849B253D264A909C771
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 07250F4E, Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 07250FBF
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.240971468.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false
                                                  Similarity
                                                  • API ID: OpenPolicy
                                                  • String ID:
                                                  • API String ID: 2030686058-0
                                                  • Opcode ID: 98bef438753dd8464aa0c8262a7bad9aacab457d8e0be6dee893a956bd781977
                                                  • Instruction ID: 01a7e96625b10b308818ae536f00e9999520991b183e190e2224c721cdaae4b1
                                                  • Opcode Fuzzy Hash: 98bef438753dd8464aa0c8262a7bad9aacab457d8e0be6dee893a956bd781977
                                                  • Instruction Fuzzy Hash: B62190B2500304AFE720DF69DC85F6AFBACEF44710F14886AEE459B241D674A4098B75
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 07250AC2, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WriteFile.KERNELBASE(?,00000E2C,8A8FB3BC,00000000,00000000,00000000,00000000), ref: 07250B41
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.240971468.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false
                                                  Similarity
                                                  • API ID: FileWrite
                                                  • String ID:
                                                  • API String ID: 3934441357-0
                                                  • Opcode ID: 88e63a9da8d3165f6d54d4163e9850d7c1d8b479739c327c42c429031bb17cf3
                                                  • Instruction ID: 43729cfb2a5e2e84bbb2f546d9e9e5d0b35f99ea0d03138794512ba6df532ce8
                                                  • Opcode Fuzzy Hash: 88e63a9da8d3165f6d54d4163e9850d7c1d8b479739c327c42c429031bb17cf3
                                                  • Instruction Fuzzy Hash: B8215072405344AFDB228F65DC84F57BFB8EF46320F08859BEE459B152D275A508CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 07250CCA, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTokenInformation.KERNELBASE(?,00000E2C,8A8FB3BC,00000000,00000000,00000000,00000000), ref: 07250D34
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.240971468.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false
                                                  Similarity
                                                  • API ID: InformationToken
                                                  • String ID:
                                                  • API String ID: 4114910276-0
                                                  • Opcode ID: 5807b08478b20b97d1ac9da36f1b59ff224ee77968cdf6d5f6c8e162c8df0600
                                                  • Instruction ID: 38857181d725b6c6d17cb5d35851708ea714ea7e59ceeb1f97e91b54388db126
                                                  • Opcode Fuzzy Hash: 5807b08478b20b97d1ac9da36f1b59ff224ee77968cdf6d5f6c8e162c8df0600
                                                  • Instruction Fuzzy Hash: B111CDB2500205AFEB218F65DC84FABFBACEF05320F04846BEE459B251D670E808CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 012DAD5A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryValueExW.KERNELBASE(?,00000E2C,8A8FB3BC,00000000,00000000,00000000,00000000), ref: 012DADD4
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.235463363.00000000012DA000.00000040.00000001.sdmp, Offset: 012DA000, based on PE: false
                                                  Similarity
                                                  • API ID: QueryValue
                                                  • String ID:
                                                  • API String ID: 3660427363-0
                                                  • Opcode ID: 2738219547fd9bdfec62243e3d9c82bd530af3855ad80943413004c49ce6b464
                                                  • Instruction ID: a9d737dd26591484621b5d350fcd872bcf56c72c5ab581e77cbc638d7ee8814c
                                                  • Opcode Fuzzy Hash: 2738219547fd9bdfec62243e3d9c82bd530af3855ad80943413004c49ce6b464
                                                  • Instruction Fuzzy Hash: D6218C71600604AFE721DF29CC85FA7BBECEF04711F18846AEE459B252D7A4E508CBB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 072516D4, Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07251754
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.240971468.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false
                                                  Similarity
                                                  • API ID: MemoryProcessWrite
                                                  • String ID:
                                                  • API String ID: 3559483778-0
                                                  • Opcode ID: ef165b4e174016a8056e2af3497a2a90ad1c131b03bff6fde53be542c75996be
                                                  • Instruction ID: 2ce27ca778bca7d1b997adf50d58b155723a9e0e62ac21240ae1a0cf370af065
                                                  • Opcode Fuzzy Hash: ef165b4e174016a8056e2af3497a2a90ad1c131b03bff6fde53be542c75996be
                                                  • Instruction Fuzzy Hash: 1721CF760093C19FD7128B25DC44A92FFF4EF06220F0980DEDD858B163D224A958DB21
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 012DB7C9, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 012DB845
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.235463363.00000000012DA000.00000040.00000001.sdmp, Offset: 012DA000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoadShim
                                                  • String ID:
                                                  • API String ID: 1475914169-0
                                                  • Opcode ID: cb1f0ded151246863b53d6f9f91d8789c57f4a4215f1bb5d508d8c99824db4e2
                                                  • Instruction ID: e9e7e3250804a6ab20f2e734d76726a1b0cad14f9bc48d0ad6d1c7986ea14395
                                                  • Opcode Fuzzy Hash: cb1f0ded151246863b53d6f9f91d8789c57f4a4215f1bb5d508d8c99824db4e2
                                                  • Instruction Fuzzy Hash: B8219075509380AFE7228A25DC45B62BFE8EF06614F09809AEE84CB253D275E908CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 07251835, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,?,?,?), ref: 072518A9
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.240971468.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: 5bc35e59f76b8ddca134eb980139b9685cd942117b14b0619a59e470e53b733e
                                                  • Instruction ID: 2c3e61b21658cc7f620c8fefdb6a276ab3f0ff2e460796c73342f33bf86aad6c
                                                  • Opcode Fuzzy Hash: 5bc35e59f76b8ddca134eb980139b9685cd942117b14b0619a59e470e53b733e
                                                  • Instruction Fuzzy Hash: 4B218C714093C4AFEB238B25CC44A52BFB4EF07220F0984DBED848F163D265A858DB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 012DA5FB, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012DA666
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.235463363.00000000012DA000.00000040.00000001.sdmp, Offset: 012DA000, based on PE: false
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: ad1e94825ef1a9f6ad20120c531f3ad6723996a7c4c2ebd7003473567d9b3dc9
                                                  • Instruction ID: 75493d9d2d0949d2409f0ba5ab075c92db3878bf792fc4713e1fc51ab1b614a0
                                                  • Opcode Fuzzy Hash: ad1e94825ef1a9f6ad20120c531f3ad6723996a7c4c2ebd7003473567d9b3dc9
                                                  • Instruction Fuzzy Hash: 7E11B471409380AFDB238F54DC44E62FFF4EF4A210F0884DAEE858B163D275A418DB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 07250AE2, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WriteFile.KERNELBASE(?,00000E2C,8A8FB3BC,00000000,00000000,00000000,00000000), ref: 07250B41
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.240971468.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false
                                                  Similarity
                                                  • API ID: FileWrite
                                                  • String ID:
                                                  • API String ID: 3934441357-0
                                                  • Opcode ID: 5779ca59bba581da45a98191177410d5b9d41c10b1b2ddec95768734125d9095
                                                  • Instruction ID: 136dcff3f6c9cf41084fbc1f255094c93fc4ff2b267f1754c5189f04ccfa18ac
                                                  • Opcode Fuzzy Hash: 5779ca59bba581da45a98191177410d5b9d41c10b1b2ddec95768734125d9095
                                                  • Instruction Fuzzy Hash: F111BF71400604EFEB219F65DC84FAAFFA8EF45324F14856BEE499B251D2B4A408CBB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 07251633, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07251698
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.240971468.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false
                                                  Similarity
                                                  • API ID: MemoryProcessRead
                                                  • String ID:
                                                  • API String ID: 1726664587-0
                                                  • Opcode ID: f766ac8f387b29482ed017585b700cd6cf1211d32ad761453ec182ec308d92ae
                                                  • Instruction ID: d158d343e990c5a3f5d14ee41befdb49309af01c9008a15935eef270d25d3508
                                                  • Opcode Fuzzy Hash: f766ac8f387b29482ed017585b700cd6cf1211d32ad761453ec182ec308d92ae
                                                  • Instruction Fuzzy Hash: 4C11E276009785AFDB228F21DC40A52FFF4EF06220F0885DEEE858B663D275A458DB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 07251B23, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,?,?,?), ref: 07251B8D
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.240971468.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: 25b91cb97f6a21230d57bfbbdc4d71017d9cbb8704b4de02e0445b81ae80666e
                                                  • Instruction ID: a29aef8bdf94a75e4209c4f584ebb70689ba728c081a9eb453fed20b4b09565e
                                                  • Opcode Fuzzy Hash: 25b91cb97f6a21230d57bfbbdc4d71017d9cbb8704b4de02e0445b81ae80666e
                                                  • Instruction Fuzzy Hash: A811D071409384AFDB228F15DC85B52FFB4EF06224F08C4DEED854B663D275A418CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0725158C, Relevance: 1.6, APIs: 1, Instructions: 55threadinjectionCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetThreadContext.KERNELBASE(?,?), ref: 072515EB
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.240971468.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false
                                                  Similarity
                                                  • API ID: ContextThread
                                                  • String ID:
                                                  • API String ID: 1591575202-0
                                                  • Opcode ID: d081fa37d0095176a3b8ff038f9c0e300cabda381ad065650e7fc513ad67a595
                                                  • Instruction ID: 04df574dc1ef4bf93a740e7aebdf89884d9531faea60895d92fb7f3490c1d02c
                                                  • Opcode Fuzzy Hash: d081fa37d0095176a3b8ff038f9c0e300cabda381ad065650e7fc513ad67a595
                                                  • Instruction Fuzzy Hash: C711CEB15083859FD721CF25CC84B56FFE8EF06220F0880AEED458B262D274E958CB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 07250952, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileType.KERNELBASE(?,00000E2C,8A8FB3BC,00000000,00000000,00000000,00000000), ref: 072509A5
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.240971468.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false
                                                  Similarity
                                                  • API ID: FileType
                                                  • String ID:
                                                  • API String ID: 3081899298-0
                                                  • Opcode ID: 0a706448d4ce853c4886b56855ae2ecbef1df21a65431259bb7f321722ea59d5
                                                  • Instruction ID: a744ee1ab0318a8b8a9d22874c239cfb302f1b60d2c7bd3ea2143d6de64b48bf
                                                  • Opcode Fuzzy Hash: 0a706448d4ce853c4886b56855ae2ecbef1df21a65431259bb7f321722ea59d5
                                                  • Instruction Fuzzy Hash: 190122B1404204EEE720DB29CC85F67FF98DF05720F14C0ABEE459B245C2B4A508CBB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 012DAEF0, Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 012DAF50
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.235463363.00000000012DA000.00000040.00000001.sdmp, Offset: 012DA000, based on PE: false
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 223e6b31261bbdfadab99e772831fb8014bcef8c2105a03d1a32fe85b22bc63a
                                                  • Instruction ID: 571d20c915f6708f9dcfc99680bc1bcb79c79602de4e702906206814e9262319
                                                  • Opcode Fuzzy Hash: 223e6b31261bbdfadab99e772831fb8014bcef8c2105a03d1a32fe85b22bc63a
                                                  • Instruction Fuzzy Hash: 52119E72409784AFDB228F15DC44E52FFF4EF0A220F0884DEEE854B662C375A418CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 012DA42A, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNELBASE(?), ref: 012DA480
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.235463363.00000000012DA000.00000040.00000001.sdmp, Offset: 012DA000, based on PE: false
                                                  Similarity
                                                  • API ID: ErrorMode
                                                  • String ID:
                                                  • API String ID: 2340568224-0
                                                  • Opcode ID: 6f21ad00d05a0c747fd9acd4f5b09f44881703c4c4d8dfc9216527ec750327b7
                                                  • Instruction ID: 6aab7088013db0bd8e794d74226b0787ca1002f63c3a0330fbd3776e2cbf4478
                                                  • Opcode Fuzzy Hash: 6f21ad00d05a0c747fd9acd4f5b09f44881703c4c4d8dfc9216527ec750327b7
                                                  • Instruction Fuzzy Hash: A3018475409384AFD7128B15DC44B62FFA8DF46624F08C0DAEE855B253D275A908DB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 012DAAEC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.235463363.00000000012DA000.00000040.00000001.sdmp, Offset: 012DA000, based on PE: false
                                                  Similarity
                                                  • API ID: LongWindow
                                                  • String ID:
                                                  • API String ID: 1378638983-0
                                                  • Opcode ID: 6f73edf8e62e9f40d4d649c53b436f22cdd21105f82769291dd6dc8b2f50d5a2
                                                  • Instruction ID: fc691ba605a5a65dcb0bd1b1f819f1a31128021e1b83e9ae4dfe4224c513061a
                                                  • Opcode Fuzzy Hash: 6f73edf8e62e9f40d4d649c53b436f22cdd21105f82769291dd6dc8b2f50d5a2
                                                  • Instruction Fuzzy Hash: 7F117C31409784AFD7228F15DC85A52FFF4EF06220F08C49AEE894B263D275A818CB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0725170E, Relevance: 1.5, APIs: 1, Instructions: 47injectionCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07251754
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.240971468.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false
                                                  Similarity
                                                  • API ID: MemoryProcessWrite
                                                  • String ID:
                                                  • API String ID: 3559483778-0
                                                  • Opcode ID: 759d7b229ec8c226d4f1a5c5351351a14b4f640cf349e0408730422eae560de8
                                                  • Instruction ID: c1892599c2dee564c7cab0732c027eab8adb48aa34f560555a1cd2fff12fcf98
                                                  • Opcode Fuzzy Hash: 759d7b229ec8c226d4f1a5c5351351a14b4f640cf349e0408730422eae560de8
                                                  • Instruction Fuzzy Hash: F501AD75510605DFDB208F19D884B66FBE4EF04220F08C0AADD498B612D3B1E868CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0725145E, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DeleteFileW.KERNELBASE(?), ref: 07251498
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.240971468.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false
                                                  Similarity
                                                  • API ID: DeleteFile
                                                  • String ID:
                                                  • API String ID: 4033686569-0
                                                  • Opcode ID: 46737268fda7b094a3862669ef83069d543a103329fcd4c0e7aa09b5d6d245e7
                                                  • Instruction ID: b83b5ee2fe8e4b15078c6f27e07b8be606974dc9479bfc6f61d8ae97f3ffb866
                                                  • Opcode Fuzzy Hash: 46737268fda7b094a3862669ef83069d543a103329fcd4c0e7aa09b5d6d245e7
                                                  • Instruction Fuzzy Hash: 9F01B1B15102459FDB10DF2AD884766FFD8EF01220F18D4AADD09CB346E6B4E818CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 012DB7FA, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 012DB845
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.235463363.00000000012DA000.00000040.00000001.sdmp, Offset: 012DA000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoadShim
                                                  • String ID:
                                                  • API String ID: 1475914169-0
                                                  • Opcode ID: def9eaeb61f21dde75e0e0bd72f6033299a5ddcd6f589fda00aab64d88f76e10
                                                  • Instruction ID: 41dbc430609eb2eef0c05d898a5b272fb9094f60e4e7dd93935bb84e10a2ca94
                                                  • Opcode Fuzzy Hash: def9eaeb61f21dde75e0e0bd72f6033299a5ddcd6f589fda00aab64d88f76e10
                                                  • Instruction Fuzzy Hash: EF0140759106409FD760DF19D846B26FFE4EF05610F08C45ADE49CB756D2B5E408CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 012DA622, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012DA666
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.235463363.00000000012DA000.00000040.00000001.sdmp, Offset: 012DA000, based on PE: false
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: ab2345896fd9ade6ad9fd6e4ab5ddb82f1083a636866b4c86b989151cbbbd7e1
                                                  • Instruction ID: 51f10222630b984562a2a21b82eb149139f3bb97c8ecf3825986078e865feca1
                                                  • Opcode Fuzzy Hash: ab2345896fd9ade6ad9fd6e4ab5ddb82f1083a636866b4c86b989151cbbbd7e1
                                                  • Instruction Fuzzy Hash: C8018031410640EFDB228F65D844B56FFE4EF48320F08C9AADE494B612D2B5A418DFA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 072515AE, Relevance: 1.5, APIs: 1, Instructions: 44threadinjectionCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetThreadContext.KERNELBASE(?,?), ref: 072515EB
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.240971468.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false
                                                  Similarity
                                                  • API ID: ContextThread
                                                  • String ID:
                                                  • API String ID: 1591575202-0
                                                  • Opcode ID: 6f9d1b2a2258a0ec74e38867a04f0ac7e7085b018a3118774e61685c46bb4a57
                                                  • Instruction ID: dfdd4f6a405712f1b95ec86245931aef6e43ec6144fb6cb4dc5f247b39b6af6e
                                                  • Opcode Fuzzy Hash: 6f9d1b2a2258a0ec74e38867a04f0ac7e7085b018a3118774e61685c46bb4a57
                                                  • Instruction Fuzzy Hash: 8001D4B5610245DFDB10CF19D884B66FBD4EF05320F08C0AEDE0A8B751D6B5E858CB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0725165A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07251698
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.240971468.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false
                                                  Similarity
                                                  • API ID: MemoryProcessRead
                                                  • String ID:
                                                  • API String ID: 1726664587-0
                                                  • Opcode ID: de597a4c5c65f1a996864c59caeb53717b966ab494ce67fb602285ba1879e6d1
                                                  • Instruction ID: 7c44821fedf5db33c8f984f51377c4b0ccc35cf0b3e55007762750334cd57720
                                                  • Opcode Fuzzy Hash: de597a4c5c65f1a996864c59caeb53717b966ab494ce67fb602285ba1879e6d1
                                                  • Instruction Fuzzy Hash: 31019E75510604DFDB208F15D884B66FFE4EF05320F08C5AEDE494A662D2B2A468DF62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 012DA2F6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 012DA346
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.235463363.00000000012DA000.00000040.00000001.sdmp, Offset: 012DA000, based on PE: false
                                                  Similarity
                                                  • API ID: ConsoleCtrlHandler
                                                  • String ID:
                                                  • API String ID: 1513847179-0
                                                  • Opcode ID: 0da5aed22e71322183ff73036d3c6dbbd86bce745c62f9566c174ecfe2f8ca7d
                                                  • Instruction ID: 2ac8e28386e43c8859f7aee6dba46596d1728bed0f89a98ddf720abdf77f5759
                                                  • Opcode Fuzzy Hash: 0da5aed22e71322183ff73036d3c6dbbd86bce745c62f9566c174ecfe2f8ca7d
                                                  • Instruction Fuzzy Hash: 94018F71500600ABD210DF16DC86B26FBA8EB88A20F14815AED084B741E371B915CBA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 07251B52, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,?,?,?), ref: 07251B8D
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.240971468.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: e4b33f927cccf2aca51e1f4d99873e5dc194bbacec1049619461258a108c1f3a
                                                  • Instruction ID: f533360396711fd545ea6af1b9286c9ab5a431708e6ba5309612c71a4ab4c5b5
                                                  • Opcode Fuzzy Hash: e4b33f927cccf2aca51e1f4d99873e5dc194bbacec1049619461258a108c1f3a
                                                  • Instruction Fuzzy Hash: 2701BC75510605DFDB208F15D884B66FFE0EF05320F08C4AEDE4A4B612E2B1A428CB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 012DAF12, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 012DAF50
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.235463363.00000000012DA000.00000040.00000001.sdmp, Offset: 012DA000, based on PE: false
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 2c62bace78867d5f868f06196f232d93258ae0038d1aef132146abedae0f0240
                                                  • Instruction ID: 1bcb5a336d4acfd6599f15beb04bb54a29fc6ddad4d52034b1fe197b58453bd0
                                                  • Opcode Fuzzy Hash: 2c62bace78867d5f868f06196f232d93258ae0038d1aef132146abedae0f0240
                                                  • Instruction Fuzzy Hash: 4F017C71410600EFDB219F55D845B66FFA0EF08320F08C4DADE490B662D2B6A418DBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0725186E, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,?,?,?), ref: 072518A9
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.240971468.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: 56b694f0125e12e35ab0299ecfe653db5b85e503478c6c6767a99eac7cb1e814
                                                  • Instruction ID: 77cc4a414d7ff815722664efa78c2a6b2988b03302e31bfa349c54c80eba00a9
                                                  • Opcode Fuzzy Hash: 56b694f0125e12e35ab0299ecfe653db5b85e503478c6c6767a99eac7cb1e814
                                                  • Instruction Fuzzy Hash: 64018B71810608DFEB308F55D888B26FFE0EF09320F18C49ADE490B616D3B5A468CB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 012DAB0E, Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.235463363.00000000012DA000.00000040.00000001.sdmp, Offset: 012DA000, based on PE: false
                                                  Similarity
                                                  • API ID: LongWindow
                                                  • String ID:
                                                  • API String ID: 1378638983-0
                                                  • Opcode ID: 80293e146b3ace31ffaa2c42dcf892e76f7327919ddb1a2139d406935e25735e
                                                  • Instruction ID: 2011928c7e1cb9fc6e8badb60ff1c9aa4dd948b8445394089130aa3b10cdbf62
                                                  • Opcode Fuzzy Hash: 80293e146b3ace31ffaa2c42dcf892e76f7327919ddb1a2139d406935e25735e
                                                  • Instruction Fuzzy Hash: F101D131414644DFDB208F09D885B12FFE0EF14720F08C8AADE4A0B652D2B5A419CF72
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 012DA44E, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNELBASE(?), ref: 012DA480
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.235463363.00000000012DA000.00000040.00000001.sdmp, Offset: 012DA000, based on PE: false
                                                  Similarity
                                                  • API ID: ErrorMode
                                                  • String ID:
                                                  • API String ID: 2340568224-0
                                                  • Opcode ID: 82d8c86d6fe14ffcb3ef1cf02aa0c7caf1db52d0d51f610121ae63044da116d9
                                                  • Instruction ID: 9a897261256d497dc3131a839400500941419b9fb99f3d0c15639e9de61d291b
                                                  • Opcode Fuzzy Hash: 82d8c86d6fe14ffcb3ef1cf02aa0c7caf1db52d0d51f610121ae63044da116d9
                                                  • Instruction Fuzzy Hash: 9EF0AF35814644DFDB209F19D889B62FFA4EF04320F18C4AADE494B316D2B9A408CFA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500879F, Relevance: .2, Instructions: 153COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 25fa45276983b900cfd1f6cb9cd08d1431f3371a739315f84a442545d3c20f61
                                                  • Instruction ID: e119299986a03d39bee26ca5d95f70f1e266c7bf8db42c3f2cbccae7cff909cb
                                                  • Opcode Fuzzy Hash: 25fa45276983b900cfd1f6cb9cd08d1431f3371a739315f84a442545d3c20f61
                                                  • Instruction Fuzzy Hash: 68717870905248DFDB44DFA5E688A8CBFF1FF48354F20966AD406AF298DB319A41CF40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05008865, Relevance: .1, Instructions: 149COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0796d0c88570693466be1bc8d12f12af2e02b60070303bee1edb9f5a50fd1952
                                                  • Instruction ID: 548a903c484a9efff962f95604ef74bc6ee3fe2f0430b623b5375804a2e59580
                                                  • Opcode Fuzzy Hash: 0796d0c88570693466be1bc8d12f12af2e02b60070303bee1edb9f5a50fd1952
                                                  • Instruction Fuzzy Hash: B3715770A05249DFDB44DFA5E688A8CBFF1FF08355F20A56AD415AF298DB309A81CF40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05008B9E, Relevance: .1, Instructions: 148COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a880de56d3fcec94b97726e325d55e0de7284e8ce800b9ce7cb5fe73b1f07c45
                                                  • Instruction ID: 0a0c6071a5595d0e7167ac29be5797e99ea5ff1c93ca9cbbcd2dccf9937bd5e9
                                                  • Opcode Fuzzy Hash: a880de56d3fcec94b97726e325d55e0de7284e8ce800b9ce7cb5fe73b1f07c45
                                                  • Instruction Fuzzy Hash: 49618B70A05249DFDB84DFA5E688A8CBFF1FF08355F20A56AD005AF298DB319A41CF40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 050087C8, Relevance: .1, Instructions: 147COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5880b7fca3e73edbb11a72e3e0ab71cd18baf4ff7b86f3979b4a0e3ea31da9a0
                                                  • Instruction ID: 617e290e4b0bcd8a946513417774bcf58dd9da80d8b0285673b2ed1958ea2403
                                                  • Opcode Fuzzy Hash: 5880b7fca3e73edbb11a72e3e0ab71cd18baf4ff7b86f3979b4a0e3ea31da9a0
                                                  • Instruction Fuzzy Hash: 88616970A05249DFDB44DFA5E688A8CBBF1FF48355F20966AD409AF398DB319941CF40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500882C, Relevance: .1, Instructions: 140COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a48fa09726ab1136cef7872f3089bcd30a7bc0127c4ee8dcefe1d492f234bc0a
                                                  • Instruction ID: 2c2c173ab38e27e68f5ee6d6c4fafdb16c672691bb2dcd629ee41745cfd253ce
                                                  • Opcode Fuzzy Hash: a48fa09726ab1136cef7872f3089bcd30a7bc0127c4ee8dcefe1d492f234bc0a
                                                  • Instruction Fuzzy Hash: 04614770A05249DFDB44DFA5E688A9CBFF1FF48355F20A56AD405AF298DB309A81CF40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05008C63, Relevance: .1, Instructions: 138COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ab8e37bcfd7d55b98e8f463d18ed7b260d5300da3ed2a2e9d391223fb17ff9f2
                                                  • Instruction ID: 6b06cc0582c81e62bf099110d7cfd8b3dd7a5edc7b7635d026715900fb74d9e1
                                                  • Opcode Fuzzy Hash: ab8e37bcfd7d55b98e8f463d18ed7b260d5300da3ed2a2e9d391223fb17ff9f2
                                                  • Instruction Fuzzy Hash: EA518B70A05249DFDB44DFA5E684A8CBFF1FF04365F20A66AD416AF298DB319A41CF40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500875B, Relevance: .1, Instructions: 137COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a92575b95d64a6d7ad7677bfb9e155a01bff38009e84bf7501b163c390932726
                                                  • Instruction ID: c54b56176154d39035bc0d57fc93ce64f9b6352635b543fdf214e1c662d9c7af
                                                  • Opcode Fuzzy Hash: a92575b95d64a6d7ad7677bfb9e155a01bff38009e84bf7501b163c390932726
                                                  • Instruction Fuzzy Hash: 3C615870A05249DFDB44DFA5E688A8CBFF1FF48354F20966AD419AB398DB319A41CF40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05008B1F, Relevance: .1, Instructions: 133COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 29c51dc3f0bd616417491137b2d2df6ca088b001824be4987314be078623102e
                                                  • Instruction ID: b558f78c96f7fbef253dcbe5f336bc9d800b07dc1cadb35182100042dbc0c66e
                                                  • Opcode Fuzzy Hash: 29c51dc3f0bd616417491137b2d2df6ca088b001824be4987314be078623102e
                                                  • Instruction Fuzzy Hash: 4A515970A05249DFDB44DFA5E684A8CBFF1FF44354F20A669D416AF298DB319A41CF40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05008B95, Relevance: .1, Instructions: 128COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9487e0b2b45f9c39c7cb8d4206a282c508a735ec95a0b9c6de2c4a72a5f78157
                                                  • Instruction ID: c408b99ef402dbf4861b3397f68eafb9c76d5be496d0259bc80774e3fc90a063
                                                  • Opcode Fuzzy Hash: 9487e0b2b45f9c39c7cb8d4206a282c508a735ec95a0b9c6de2c4a72a5f78157
                                                  • Instruction Fuzzy Hash: 0D516870A05249DFDB44DFA5E688A8CBFF1FF48354F20A66AD415AF298DB319A41CF40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500CF0F, Relevance: .1, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 83ce4fbaa2d149f5037cb60b1ed9567c6dc6ba72b2113b12e1f6a3c04d837634
                                                  • Instruction ID: aa661f1dedd30c4ac7453cf77a7b5b435e5bc3f3ca40df424d5ee603f9b472bd
                                                  • Opcode Fuzzy Hash: 83ce4fbaa2d149f5037cb60b1ed9567c6dc6ba72b2113b12e1f6a3c04d837634
                                                  • Instruction Fuzzy Hash: 01413A74D4021A9FEB74CF64D985BEDFBB1BB48300F0154EAD619AA280EB709E858F00
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05004440, Relevance: .1, Instructions: 77COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 80e8d7e9d963238cf06e500add2a0200360b7c01a46dabcd7b69bc79cc37edd2
                                                  • Instruction ID: ab1e111ca4a35419b4d8d3ba7ef7c0afcf63717b4935fe0c8d887d314efca879
                                                  • Opcode Fuzzy Hash: 80e8d7e9d963238cf06e500add2a0200360b7c01a46dabcd7b69bc79cc37edd2
                                                  • Instruction Fuzzy Hash: 5F3127B4E0420ADFCB44CFA9D5809AEBBF1FF89300F10946AD815AB354D7349A42CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05002450, Relevance: .1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5f7a9bd476a0c6eab3e5da9e4d3960d707b7db4188cfd271f80af8c67f61fa19
                                                  • Instruction ID: ee221efff2e1c3824fcee5cc2484c835a2e186803ce07408b3af46b707a7d476
                                                  • Opcode Fuzzy Hash: 5f7a9bd476a0c6eab3e5da9e4d3960d707b7db4188cfd271f80af8c67f61fa19
                                                  • Instruction Fuzzy Hash: 0931B174E01209DFDB48CFAAD444AAEBBF2BF88300F14946AC805A7394D7359A41CF94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05004450, Relevance: .1, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 65c0bb418d004d366fead28f75a23425645a2252e3ccd9e5727c3be45297271d
                                                  • Instruction ID: 49730deb95631708e3a80f1fba3d6621103662547ae9fe2fcb045544387d3835
                                                  • Opcode Fuzzy Hash: 65c0bb418d004d366fead28f75a23425645a2252e3ccd9e5727c3be45297271d
                                                  • Instruction Fuzzy Hash: 8D3118B4E04209DFDB44CFA5D5809AEBBF2FF88300F10A46AD915AB754D774AA41CF54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 050097CD, Relevance: .1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c22c1d4c6977bd26895db9dd60a2259da3594f8f5a1736e0861109f38ce581ab
                                                  • Instruction ID: b1b2ef68a2e5c6a744ad23d182a2a802cfea88f3010e3b9d95532c4b13e89940
                                                  • Opcode Fuzzy Hash: c22c1d4c6977bd26895db9dd60a2259da3594f8f5a1736e0861109f38ce581ab
                                                  • Instruction Fuzzy Hash: 7A218BB4D08249DFDB05CFA5D8645ADBFF2FF89200F2494AAD805A7356DB349E02CB51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05005FF0, Relevance: .1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 19ab661b91d5a2d1eee614021fbd2f7cb07dbd7a5a45b976dd0f990598afb48f
                                                  • Instruction ID: 7f36077b11f6e60def23dd25e7649b22205414f49827329a74c760491f307d90
                                                  • Opcode Fuzzy Hash: 19ab661b91d5a2d1eee614021fbd2f7cb07dbd7a5a45b976dd0f990598afb48f
                                                  • Instruction Fuzzy Hash: 21217C70D4821ADFDB04CFA5E4545AFBFF2FF49200F10E5AAC405AB295D7319A52DB41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05004561, Relevance: .1, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e42e580feb96bfc77dff63411006908a5358b08e3b9a928ca167588deef65407
                                                  • Instruction ID: 049eb81aacf99b743f2d642df0e14b75b0a36689cb5191e988c4051fda8fb20b
                                                  • Opcode Fuzzy Hash: e42e580feb96bfc77dff63411006908a5358b08e3b9a928ca167588deef65407
                                                  • Instruction Fuzzy Hash: 2B2164B0E04209DFCB04CFA9D581AAEBBF2FF88300F1095AAD204AB351D734AA018F51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0297075C, Relevance: .1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.235655673.0000000002970000.00000040.00000040.sdmp, Offset: 02970000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5ff9cba6c87910014e7f4d03d04bb3d72fe4130e7a90b04fc77613f4cf928e31
                                                  • Instruction ID: ed7c8767040904f8c92fcbf8d5f1fda4e6855022789ba8ae22a2a8567672891d
                                                  • Opcode Fuzzy Hash: 5ff9cba6c87910014e7f4d03d04bb3d72fe4130e7a90b04fc77613f4cf928e31
                                                  • Instruction Fuzzy Hash: 2111B134204284EFD715CB24C984B26BBE9AB88B08F24C9ADE9491B653C77BD803CE51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05000015, Relevance: .1, Instructions: 58COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4b60d9e0c7c97d88bf460842a42a7197e353f2f25a4de4fffd06c01ec6d37a45
                                                  • Instruction ID: 17426e385c00f5400c96c10bf6d3af43f67d37a289f84f2d95da6225a5b6e8a8
                                                  • Opcode Fuzzy Hash: 4b60d9e0c7c97d88bf460842a42a7197e353f2f25a4de4fffd06c01ec6d37a45
                                                  • Instruction Fuzzy Hash: 7811296055E3C48FC31797B498257BA3FB0AF43104F0A49EBC881DB1A3CA284919D722
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 050060E8, Relevance: .1, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9f776fcb44577133fd4edde1760e66c735f4990dd879b0999b79642097e3a524
                                                  • Instruction ID: 0a7c2be14ba0d825f9d4e7225a13b9ca4189b3b8d87877306d7b740b17c9e706
                                                  • Opcode Fuzzy Hash: 9f776fcb44577133fd4edde1760e66c735f4990dd879b0999b79642097e3a524
                                                  • Instruction Fuzzy Hash: DE215E74E15108EFDB05CFA8D5989ADFFF2EF8D200F18C49AD414AB266D7319A11DB40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 050060F8, Relevance: .1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 016921ef4442c89414f7b6ce378ffbec214de4dee61d07effee2b128b76d1634
                                                  • Instruction ID: 44ba729d90f3d2fc9d99c6fb8720a29244ae20f2bdd67bee93db580aa5babe95
                                                  • Opcode Fuzzy Hash: 016921ef4442c89414f7b6ce378ffbec214de4dee61d07effee2b128b76d1634
                                                  • Instruction Fuzzy Hash: A4110A74E00108EFDB04DFA9D558AADFBF2FF88200F19D499D519AB265DB319A51CB40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 029705CF, Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.235655673.0000000002970000.00000040.00000040.sdmp, Offset: 02970000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 70ef2d94d41597a573ecdcaf2a43d9901ee82fedfc88ad86b6550ea586bf2f36
                                                  • Instruction ID: 9aa86cb3446dc487f34dd875beae18abd81cc77e1832ed4543cd9513a7dca69b
                                                  • Opcode Fuzzy Hash: 70ef2d94d41597a573ecdcaf2a43d9901ee82fedfc88ad86b6550ea586bf2f36
                                                  • Instruction Fuzzy Hash: 0401D6B25083805FD7128B06AC44862FFE8DE86620708C0AFED498B612D165A908CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05002EC7, Relevance: .0, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bc2900835509cb43d2872827778549270c0c08e58ba7e6f253a55afde2b1b149
                                                  • Instruction ID: 4eb437f1cb87633934a69c3ec6e353670ef978344f428c2410334077ba3d46ad
                                                  • Opcode Fuzzy Hash: bc2900835509cb43d2872827778549270c0c08e58ba7e6f253a55afde2b1b149
                                                  • Instruction Fuzzy Hash: 3701213094834ADFCB51DFB4E9491AEBFF0EB46200F1481ABC4459B2A5D7319A1A9B00
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 050023D1, Relevance: .0, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dfdf20e37680c320b5768790fdf1f921964af4c711671fee09fb888d2c55a74f
                                                  • Instruction ID: 58b224c05d725cf50c548a99420063378af2ddaf77d4662eccff8e450700da56
                                                  • Opcode Fuzzy Hash: dfdf20e37680c320b5768790fdf1f921964af4c711671fee09fb888d2c55a74f
                                                  • Instruction Fuzzy Hash: 880124B0D092499FCF48DFB9D5409AEBFF1EF8A300F1084AAC805AB255E7349A41CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0297075B, Relevance: .0, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.235655673.0000000002970000.00000040.00000040.sdmp, Offset: 02970000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ca6a0b5bf319edae8ca202dc0168e2bae9795885764f0213a0868f6c13540e57
                                                  • Instruction ID: cedbc5d92287efa4e50358681f0d90c3549b23e3caff268931693a4bfeef09de
                                                  • Opcode Fuzzy Hash: ca6a0b5bf319edae8ca202dc0168e2bae9795885764f0213a0868f6c13540e57
                                                  • Instruction Fuzzy Hash: B7010835208284DFC716CB10D980B29BBA6FB89718F28C6ADE9491BA52C377D813DF41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 050023E0, Relevance: .0, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 672402db2621a32508a0ad48ad420f458a9ace9f5138ecdf0c7627c8b083d830
                                                  • Instruction ID: c2a1c386f5af0223106f7a69faf1fbbf9b3a9f8fe3db4ff421b09ad9777bf481
                                                  • Opcode Fuzzy Hash: 672402db2621a32508a0ad48ad420f458a9ace9f5138ecdf0c7627c8b083d830
                                                  • Instruction Fuzzy Hash: C5F0E2B4D05209DBCB48DFA9D5449AEBBB6EF88300F5090AA8805A7344EB34AA41CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500D2FD, Relevance: .0, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4ccb0404fd64d22eb6afc18344c9aaed518fe626ef350a662780d2f51d49b94c
                                                  • Instruction ID: 3ff6919bf1c0017e6aff15dee3961b31e591db28bf718928505b2a181b54d037
                                                  • Opcode Fuzzy Hash: 4ccb0404fd64d22eb6afc18344c9aaed518fe626ef350a662780d2f51d49b94c
                                                  • Instruction Fuzzy Hash: FC01C4B1D01228DFDB64CFA1D944BECB7F1BB19304F5081EA9189AB281D7345E95CF54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500B914, Relevance: .0, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 22a85e7fe3ea3075aca000af7e731581e8ae0cc06fd46bf119809af3ef313930
                                                  • Instruction ID: 0a3fcfb1c3b4356d8b6a979194d82348c1a30edf25d9635b38672b4566a9a3cb
                                                  • Opcode Fuzzy Hash: 22a85e7fe3ea3075aca000af7e731581e8ae0cc06fd46bf119809af3ef313930
                                                  • Instruction Fuzzy Hash: DC019274D01228CFDB64DFA4D988B9DBBB1FB08314F10A49AD449B7294DB355A85CF10
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 050022B8, Relevance: .0, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c850ba89881d28b22572fc67b8d2db60044c5ff519faee2050e641b6a88cc946
                                                  • Instruction ID: cd31574e647b5ec5feeae2d1e78cd98c3cafbb13d03a0348921c698bcaaf7599
                                                  • Opcode Fuzzy Hash: c850ba89881d28b22572fc67b8d2db60044c5ff519faee2050e641b6a88cc946
                                                  • Instruction Fuzzy Hash: EEF09A78E18308EFEB55DFA4E54D6ADBBF2EB19300F1080AADC01AB391D2325A44DF41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05002ED8, Relevance: .0, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bddd51aa94a4b96967d2b5eb2e58a359d794fa6b63c0af52ec512436404e7117
                                                  • Instruction ID: ee55f486f0ce3c9a9e7f07f841e8aa4df7a7b600dc11ee7df262619ef028dc14
                                                  • Opcode Fuzzy Hash: bddd51aa94a4b96967d2b5eb2e58a359d794fa6b63c0af52ec512436404e7117
                                                  • Instruction Fuzzy Hash: FBF0E97890930ADFD714DFB4F54D17DBBF5FB49201F10D0A6D40967294DB319A109B01
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02970818, Relevance: .0, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.235655673.0000000002970000.00000040.00000040.sdmp, Offset: 02970000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
                                                  • Instruction ID: f0b9d8d08076d2b9611a52d9456d5e1e44f92262a4e9179ad2bdd42fdd65895a
                                                  • Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
                                                  • Instruction Fuzzy Hash: 1CF01D35104644DFC305CF40D940B15FBA6EB89718F24CAADE9490B752C337D813DE81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500C6C0, Relevance: .0, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6a0af3322dd2fce1b3cf4b122db9dc907b919036d477935cf334279f1d23f423
                                                  • Instruction ID: 5d1c4ca48ef7b0282cb0851dba2bab8708f49f06262a8da0f7d9134bed5629c9
                                                  • Opcode Fuzzy Hash: 6a0af3322dd2fce1b3cf4b122db9dc907b919036d477935cf334279f1d23f423
                                                  • Instruction Fuzzy Hash: A6F08C709483889FCBA1EFB8E8186ADBFB0EF47201F1041EAC844AB296D7315955CF40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500D3C7, Relevance: .0, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d7adfdf8bac983b7a24f69a479ac0910e1bee63273aa0b258a5c2cacee19f80d
                                                  • Instruction ID: 264b4b3216d90754929577807cf189f19491a245ed13b4d4cfee9c4735199e2c
                                                  • Opcode Fuzzy Hash: d7adfdf8bac983b7a24f69a479ac0910e1bee63273aa0b258a5c2cacee19f80d
                                                  • Instruction Fuzzy Hash: 1301A4B4E412188FDB24DF64D888BDDBBB2BF58300F108199D519AB345D7705E80CF40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 050000B9, Relevance: .0, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ad69c2a2c0e9d18d2092aa5b4ceee4c74e893921252fd63de5d3bd25d2070c74
                                                  • Instruction ID: 7af67138f03dc7e83b254fddfe18d653df395270f8ec3c577f54f6446b797a78
                                                  • Opcode Fuzzy Hash: ad69c2a2c0e9d18d2092aa5b4ceee4c74e893921252fd63de5d3bd25d2070c74
                                                  • Instruction Fuzzy Hash: CDF05830901258DFCB18DBA4D949BFDB7F5EF85304F2451AAC8096B261EA325E05DB40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 029705F6, Relevance: .0, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.235655673.0000000002970000.00000040.00000040.sdmp, Offset: 02970000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2eb3f81d9b5af3976072b875abc99f066259122e4f82c42d06f1baf120c692f2
                                                  • Instruction ID: 799705deef46b2cdebba8749bf6fd2484e64bacddcdddaa0688ed2ff11020ba0
                                                  • Opcode Fuzzy Hash: 2eb3f81d9b5af3976072b875abc99f066259122e4f82c42d06f1baf120c692f2
                                                  • Instruction Fuzzy Hash: C6E06D766446008B9650DF0AEC41452FBD8EB88630B18C47FDD0D8B701E175B508CEA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05001F98, Relevance: .0, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d80f04d77777da045e3720605683869b302b0e1da2de65fd8682b9e6d825824a
                                                  • Instruction ID: 4a3a7490a6c93d877c9a69a428a3d21459dd8578303191053b879185d731845b
                                                  • Opcode Fuzzy Hash: d80f04d77777da045e3720605683869b302b0e1da2de65fd8682b9e6d825824a
                                                  • Instruction Fuzzy Hash: A8E022308283888FCB059F78A9581FE7FF0EF43304F0015EAC84067252C3700905DB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 050022C8, Relevance: .0, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c2fa1517c54699013e5183161e151771011d9a94b8d5c0b50be3e190fb46e35d
                                                  • Instruction ID: 8a46cc8e7c3c141d103eef8801f4aa9a35f161ff5d914d477e85021f5eefefc3
                                                  • Opcode Fuzzy Hash: c2fa1517c54699013e5183161e151771011d9a94b8d5c0b50be3e190fb46e35d
                                                  • Instruction Fuzzy Hash: 15F01538D04208EFDB14EFA5E188AADBBF6FB48304F1091AADC05A7354D6326A44DF81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 050000C8, Relevance: .0, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 371afddf777577e6c50d161af833f1c2ac616ab896ce73d1a6f473fb589dd8a5
                                                  • Instruction ID: 889ac18139c4e59325c6277c1910a6d690207f582d973ac7805847e9fbd9eb6e
                                                  • Opcode Fuzzy Hash: 371afddf777577e6c50d161af833f1c2ac616ab896ce73d1a6f473fb589dd8a5
                                                  • Instruction Fuzzy Hash: 67E06D30A00208DBCB08DFA5D544BADB3F5EF45304F6051B9C8096B250DE716E00DB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05000070, Relevance: .0, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9966b8eac9b76fa7fc2fcabf744792537d4babdaea042ffeadff4442cacb9ccb
                                                  • Instruction ID: aa4241e6d597e09ff711359551cbec97d88a1bf032c38ea400e4a714f01412bb
                                                  • Opcode Fuzzy Hash: 9966b8eac9b76fa7fc2fcabf744792537d4babdaea042ffeadff4442cacb9ccb
                                                  • Instruction Fuzzy Hash: 76E08C70553249D7CB58FBF8D51A73FB3A8EB83210F5418A8860223280CE315E20DB65
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500D291, Relevance: .0, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fa0c58eca5fc150a990c31679e7d077a63627b817211f3b14734088497d04ab0
                                                  • Instruction ID: 08be73de34a6c05c828dd4bbc613e95026eb3e920346283a4be9eaf2a5f48918
                                                  • Opcode Fuzzy Hash: fa0c58eca5fc150a990c31679e7d077a63627b817211f3b14734088497d04ab0
                                                  • Instruction Fuzzy Hash: 6BF0AF71D052298FDB64DF60C949BECBBF1BB49300F5002EA9509A6290D7345E81CF10
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500C4E0, Relevance: .0, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5e10a8c946da618e00d2cac3c07b5339f306b142f427c12aa94e7e86d9a21707
                                                  • Instruction ID: d188801b29f1293701c2447839ffcdff3da59fcb6b96f99ea281d5bff18825f5
                                                  • Opcode Fuzzy Hash: 5e10a8c946da618e00d2cac3c07b5339f306b142f427c12aa94e7e86d9a21707
                                                  • Instruction Fuzzy Hash: 85E06D70D083889FCB61DFB4946869CBFF0AF46300F1081EEC84597252D2345A15DF41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500C419, Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6ebc1b9118b351b0193183cdde14776a477143ad56486862f6b2c5eb4f0f751c
                                                  • Instruction ID: 3354d68daeaab48eb0e4ebe3cd31480efa70be1c66b8bd7fa915914288657447
                                                  • Opcode Fuzzy Hash: 6ebc1b9118b351b0193183cdde14776a477143ad56486862f6b2c5eb4f0f751c
                                                  • Instruction Fuzzy Hash: ECF03930E182889FCB95DBB894586ACBFF0EB06200F1041EAD844D7262D7395908CB41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500C458, Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f77be1ab38561235149a80f760948d6c747d181ae99001a370ff849e5c39df86
                                                  • Instruction ID: 9c752f83f45498f304542d76cd5e92b3d50e0072cd920ec8c7f61fbca65a5dad
                                                  • Opcode Fuzzy Hash: f77be1ab38561235149a80f760948d6c747d181ae99001a370ff849e5c39df86
                                                  • Instruction Fuzzy Hash: 2BE012309193994FD792EFB898552DC7BF0EF06110F1005AACC84D7152E6305A59DB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500C680, Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 40b65da5077fd3bc8c8569e2d4f204159ba17658dbdd4d6ab203ff24766d996a
                                                  • Instruction ID: 09ca7fb143c63c7fc5a25bb128544e1c974d307777000dbf9b5a3a0cb7ed92c4
                                                  • Opcode Fuzzy Hash: 40b65da5077fd3bc8c8569e2d4f204159ba17658dbdd4d6ab203ff24766d996a
                                                  • Instruction Fuzzy Hash: 39E0DF708582889FC792ABB898286EC7FB0EF02200F1005EAC840972D2D330490ADB41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500D89B, Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a7af74c4fe239221b795bf0f2330c992596aca501dd28ddd3c8dc7680ee7f79d
                                                  • Instruction ID: b9602530a8c58fc2b4aca145ef0a0c35eb20bc819c4e0da9c6b28c30d31f5b29
                                                  • Opcode Fuzzy Hash: a7af74c4fe239221b795bf0f2330c992596aca501dd28ddd3c8dc7680ee7f79d
                                                  • Instruction Fuzzy Hash: 1FF09DB4C013A88FDB21DF60DD18BEEBBB1BB19315F0016DAC45AAB290D7310A80CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500C6D0, Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2cbc4654a98fc6811b0a612e9672fe876701b7aa9488f500c242add192b7706c
                                                  • Instruction ID: 1e68d4b8ba2ac3541f2bb411e9547b9c271a45ae10d691213df304f7cf2afbb4
                                                  • Opcode Fuzzy Hash: 2cbc4654a98fc6811b0a612e9672fe876701b7aa9488f500c242add192b7706c
                                                  • Instruction Fuzzy Hash: 87E01A70D04308AFDB60EFA4F40966DB7B4FB45301F1052A9D805A7388DB715940CF40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500C600, Relevance: .0, Instructions: 21COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1c5e0a14065112bc1d4f39cd435722b8731c88e88f7e148b5201fb2d2f53549e
                                                  • Instruction ID: bcdb0df9e8299574899e37d1275867805786117b9111d83ed32370b62a783bd7
                                                  • Opcode Fuzzy Hash: 1c5e0a14065112bc1d4f39cd435722b8731c88e88f7e148b5201fb2d2f53549e
                                                  • Instruction Fuzzy Hash: 38E0E570D18288AFDBA1DBB898582ACBFF0AB46200F1441EED84597252E7359A05CF41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500D548, Relevance: .0, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e6ba7c3e4e32acae478136e08e49c195d389f46a0c653fa6a3fea4930a3c5be9
                                                  • Instruction ID: 8b5195f4dd0bbfcfaf38315cb6b02661c3ba33d9686c15bd4eb81e52dd3cfae6
                                                  • Opcode Fuzzy Hash: e6ba7c3e4e32acae478136e08e49c195d389f46a0c653fa6a3fea4930a3c5be9
                                                  • Instruction Fuzzy Hash: BEF0AEB6C042698FDB20DF60D9407ECBBF1BB48340F9015DA991AA6280E7705FC0CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500BD58, Relevance: .0, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5bc44bee23baa334a5f05a1e0ef89b0b11edb5f9b5eb607790875b1e16152212
                                                  • Instruction ID: a898c05f9a522038f38b5e91a6b11e6e42cacb46d62543a1e5e631f2af7d8d01
                                                  • Opcode Fuzzy Hash: 5bc44bee23baa334a5f05a1e0ef89b0b11edb5f9b5eb607790875b1e16152212
                                                  • Instruction Fuzzy Hash: 16E01270D08388AFCB51DFB8D45829CBFF0AF05210F1445DEC8549B291E7380655CF41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500BC40, Relevance: .0, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ad180d4e06853724744f7337415ca8e56e5d3776ac816405b0aba82db592eeaf
                                                  • Instruction ID: deed620d96d378a67aa8f1934f34ed3b13286719d0c132e421dc367a226d5184
                                                  • Opcode Fuzzy Hash: ad180d4e06853724744f7337415ca8e56e5d3776ac816405b0aba82db592eeaf
                                                  • Instruction Fuzzy Hash: 0EE046B0D04308AFCBA5EFB8E81579CBBF0EB05220F1046EBCC64922E0E6390A44CF41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05001FA8, Relevance: .0, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 109902b232b41bc08f2c6fe54925c20ba0da25dba9fa28c94dc812cf2894e20d
                                                  • Instruction ID: a86f7a9240b38927e4b1efda476f0239725acc23ec0bed8c1b8a55831c50a096
                                                  • Opcode Fuzzy Hash: 109902b232b41bc08f2c6fe54925c20ba0da25dba9fa28c94dc812cf2894e20d
                                                  • Instruction Fuzzy Hash: ABD0173091530CDBD718EFA4F949A6EBBB8EB42306F1056A9880523284CB706A50DBA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500D207, Relevance: .0, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2d79d1ead2aab31ca901438fed862d84856c711173d7ad2bceed026bbe39a965
                                                  • Instruction ID: e54aaef63adcc5bbb739d516cbe47f460cd98a64b1be527d5026265e080871ac
                                                  • Opcode Fuzzy Hash: 2d79d1ead2aab31ca901438fed862d84856c711173d7ad2bceed026bbe39a965
                                                  • Instruction Fuzzy Hash: 8AF0927591512E8FDF65CF50C945BDDB7B1BB48304F1081D59509A6250D7349F80CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500503A, Relevance: .0, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 48b430245417947230e6e6901ed89ecf5409d26fc448c8f1f836ac05eeb6771d
                                                  • Instruction ID: 47cc8ab72c7b8ae48dffbb1c7728b434d6bef8b1448be428029ebcc7dfcc942f
                                                  • Opcode Fuzzy Hash: 48b430245417947230e6e6901ed89ecf5409d26fc448c8f1f836ac05eeb6771d
                                                  • Instruction Fuzzy Hash: 19F06C78902259CFCBA1CF64D884AD8BBB1FB48315F1110E5E419AB714D730AEC5CF00
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500BD20, Relevance: .0, Instructions: 18COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 10b4f98c3d65267b583d6abee552ff8878d5f03567c9b6b8a472887ef804544f
                                                  • Instruction ID: 20c9cae1d065c6d13b9db5f0d26b8f13337a57613901725051cb2292699fdb86
                                                  • Opcode Fuzzy Hash: 10b4f98c3d65267b583d6abee552ff8878d5f03567c9b6b8a472887ef804544f
                                                  • Instruction Fuzzy Hash: 4EE0B670D14748AFCBA5EFB8E4252ADBFF0AB45210F1096AAD88496250E7394650CF41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500509D, Relevance: .0, Instructions: 18COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 20ded5673eefc361c8421b8905e2200f8c84af2a6b6c94bdb7418bbac9f30dbf
                                                  • Instruction ID: 555e241541c4619b0f86edfa01bd601101b1a0cce53a63600560d19d5210662c
                                                  • Opcode Fuzzy Hash: 20ded5673eefc361c8421b8905e2200f8c84af2a6b6c94bdb7418bbac9f30dbf
                                                  • Instruction Fuzzy Hash: 73D012B481424999DFA0CFA4B88059E7FF4E704705F106069916BE2545E6301A514A06
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500B4BF, Relevance: .0, Instructions: 18COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 03d52043c5c6dcea8b04eaef6b6fe2396571ac562bdca91c1f5a1bf651ca9e60
                                                  • Instruction ID: a2731516174434701bbf2efc53c0c6f6d3366a8441ca58171bbadb2faebedc50
                                                  • Opcode Fuzzy Hash: 03d52043c5c6dcea8b04eaef6b6fe2396571ac562bdca91c1f5a1bf651ca9e60
                                                  • Instruction Fuzzy Hash: 5BF0A574E112188FDB64DF64E98878DBBF1BB46344F5091AAD50EE6744DB305A81CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500B36B, Relevance: .0, Instructions: 17COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6901a3d6cd27d4a91f13dab41b4356e6909af6d216c5186f04e7b3998c876582
                                                  • Instruction ID: 7c9baf50ffe0826f9a621b6eca8c76541be88932fc228a15eeff57184d2b46ab
                                                  • Opcode Fuzzy Hash: 6901a3d6cd27d4a91f13dab41b4356e6909af6d216c5186f04e7b3998c876582
                                                  • Instruction Fuzzy Hash: 9CE0EC70A12118EBDB14CF54F984A6DBBB3FB8A340F25A126E506A7398CB34ED55CB05
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500BDA8, Relevance: .0, Instructions: 17COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 465f80100792dfd99d8a613a840178c4e8f6ef28b0b48c04b1c4dbcf09c6afa2
                                                  • Instruction ID: ca981eef4293d0078ad9c4bb6704918501473489c51f62eaf3185f7e4b5784ef
                                                  • Opcode Fuzzy Hash: 465f80100792dfd99d8a613a840178c4e8f6ef28b0b48c04b1c4dbcf09c6afa2
                                                  • Instruction Fuzzy Hash: F0D017B0D08208ABCB94FFB8E41469DBBF5BB44300F1081AA8808A3284E7345A41CF81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500BD28, Relevance: .0, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 85787c91e0ec88db06b0d7e2c360e6bb8c3a11c03f9fdd64635e562d3af7cd65
                                                  • Instruction ID: 1085ef7986e1ba2a1876a933746fff9c65f80fce0450c3c39f08948b0f1be56b
                                                  • Opcode Fuzzy Hash: 85787c91e0ec88db06b0d7e2c360e6bb8c3a11c03f9fdd64635e562d3af7cd65
                                                  • Instruction Fuzzy Hash: 09D01770D04348AFCB60EBB8A4153ACBBF4AB04200F1041EA884496280EB385A40CF81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500BD68, Relevance: .0, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f304b39106facde8fcc673e76af2484c9f85ee2b7504f14e3897ed7d94f9f1bc
                                                  • Instruction ID: ad1cf8be1f1df90281f4eb0561bf4ce829e85e97f19b8e35579cf25eee10771a
                                                  • Opcode Fuzzy Hash: f304b39106facde8fcc673e76af2484c9f85ee2b7504f14e3897ed7d94f9f1bc
                                                  • Instruction Fuzzy Hash: 30D017B0D04208AFCB90EFA8E41439CBBF4AB04200F0041AA880893340EB385A41CF81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500BC50, Relevance: .0, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3ae4bdf87208bd6a657d2bd40cddcdc096953228c8268230221f6f95046c11dc
                                                  • Instruction ID: 9d345d55584588bf425551d9f2bc5c277aef2620f6766cf7d066959287c0976f
                                                  • Opcode Fuzzy Hash: 3ae4bdf87208bd6a657d2bd40cddcdc096953228c8268230221f6f95046c11dc
                                                  • Instruction Fuzzy Hash: 72D01770D04208AFCB50EFA8E44579DBBF4EB04600F1041AA984893290EB345A40CF81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500B6BE, Relevance: .0, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 221de1c9bea236dbf5249804bddd61e152553bbbb9b1b17d591022ac2a47ea24
                                                  • Instruction ID: a37b5e93998814c75581f14bba1e00860074d1f9a9fb10b683e655394c3a1cdc
                                                  • Opcode Fuzzy Hash: 221de1c9bea236dbf5249804bddd61e152553bbbb9b1b17d591022ac2a47ea24
                                                  • Instruction Fuzzy Hash: BDE026328002048FE744EFA4D8CC68CBBB5BF02310F40A1198076EB2D6CF701142CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500D584, Relevance: .0, Instructions: 15COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3fe7be074146ffcbbc98804cb59d36bd150fdc3496373934654c9851e70fa9b9
                                                  • Instruction ID: 1599943983aa0f2e495454535484f0a4b5ed368932c9f6ee595d73ac3e5bf2b1
                                                  • Opcode Fuzzy Hash: 3fe7be074146ffcbbc98804cb59d36bd150fdc3496373934654c9851e70fa9b9
                                                  • Instruction Fuzzy Hash: ACE09976C0422A9FCF20DFA0C944BECBBF6AB58300F6041E99119A2250D7355B80CF00
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500B89D, Relevance: .0, Instructions: 15COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 717ae8d71bea8535943a8a14a09c3802afe4a2b5f04fc1c1abe307b4da75340e
                                                  • Instruction ID: 4be08514baf55bec4f095c072987b588d9aeb65d879f0e802a0c6e26ad708f4d
                                                  • Opcode Fuzzy Hash: 717ae8d71bea8535943a8a14a09c3802afe4a2b5f04fc1c1abe307b4da75340e
                                                  • Instruction Fuzzy Hash: 07E09A34E052199FCB64CF64E98579DBBB1BF4A301F206095A589AB244DB705A808F05
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 012D23F4, Relevance: .0, Instructions: 15COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.235444134.00000000012D2000.00000040.00000001.sdmp, Offset: 012D2000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1a8410c0202544fc3ccf5ba4d1ada89ce25e10b8a073d28ceed2acc6661ac3e1
                                                  • Instruction ID: f477dfcf0dc3665c87e50f983a12060810f98de0af22bfba8d05ab140249df23
                                                  • Opcode Fuzzy Hash: 1a8410c0202544fc3ccf5ba4d1ada89ce25e10b8a073d28ceed2acc6661ac3e1
                                                  • Instruction Fuzzy Hash: 37D05E79225A928FE3278A1CC1A8B953FA4EB51B04F4644FDED008B663C368D981D200
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500BDD7, Relevance: .0, Instructions: 14COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b4cbf58bd273851e192cbc92bb4b5cf6e3d6dc42cd0bb51ede2c7fac67758e7b
                                                  • Instruction ID: 17539b978c7e5e9c42f3f0a12425e93cc22625c559c0bb0cb8b9ca315b5201d0
                                                  • Opcode Fuzzy Hash: b4cbf58bd273851e192cbc92bb4b5cf6e3d6dc42cd0bb51ede2c7fac67758e7b
                                                  • Instruction Fuzzy Hash: 48D09EB4D48648EFDB54DFA4E4553ACFBF0FF04305F10819A980957290EB395A42DF40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 012D23BC, Relevance: .0, Instructions: 14COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.235444134.00000000012D2000.00000040.00000001.sdmp, Offset: 012D2000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 211e28df2cad957d48e0f55e4ae360c863f7aea53239078c450081157804a04d
                                                  • Instruction ID: 78c6c379490a563c6725c8c6d79f80b13b0ff078693bef52346d5844f1754259
                                                  • Opcode Fuzzy Hash: 211e28df2cad957d48e0f55e4ae360c863f7aea53239078c450081157804a04d
                                                  • Instruction Fuzzy Hash: 24D05E342102828BD715DB0CC594F593BD4AB81B00F0645E8BE008B662C7A4D881C600
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500B746, Relevance: .0, Instructions: 13COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 46e75108f09149324d25244b69ac5e04551459439d91a97ae2c102ba9b81c7d6
                                                  • Instruction ID: b043bff0dc6dc0b2ab5c334b6b5b675f2693f6dec81f4b897100b27fee8f6de8
                                                  • Opcode Fuzzy Hash: 46e75108f09149324d25244b69ac5e04551459439d91a97ae2c102ba9b81c7d6
                                                  • Instruction Fuzzy Hash: 0CD0A771C24204EBEF14CFD1EC8A0ADFEB5AB05210F107406E043B5481DB3451018F11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500DE46, Relevance: .0, Instructions: 13COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8425d98825e5d879b12df0a0be322205fc8dadd5c8661e06cd3df0fcc99061cb
                                                  • Instruction ID: 31d2914015cd09b30f271ca7b21b220d595bae79089df49293aa2c4676cd07dd
                                                  • Opcode Fuzzy Hash: 8425d98825e5d879b12df0a0be322205fc8dadd5c8661e06cd3df0fcc99061cb
                                                  • Instruction Fuzzy Hash: A2E0E276C0532A9EDB64CF60C8847EDBBB2BB54390F4015E9800AA6290EB385BC1DF40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 050089F7, Relevance: .0, Instructions: 12COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d02694071d3404018d8a355c2431086033119b277938a1a655a9c91adeb49a9a
                                                  • Instruction ID: 4f6eeebcfa9112d24fdab36596bf9164869e7861f1abe0d2de9b047bc66462bd
                                                  • Opcode Fuzzy Hash: d02694071d3404018d8a355c2431086033119b277938a1a655a9c91adeb49a9a
                                                  • Instruction Fuzzy Hash: ABD05E31901119DF9F40DFD4D5441AC7FF5FB88308F20A91AC001AB258D7308942CB40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500D864, Relevance: .0, Instructions: 11COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 52107c4418c706b016ae7d89da3ea96cec8a8a7c3d33eea3726ed17df6ea55c5
                                                  • Instruction ID: b06774a06935b5f791bfd6c6ddda8495a5176c1b50109a461c9a624b3e2792de
                                                  • Opcode Fuzzy Hash: 52107c4418c706b016ae7d89da3ea96cec8a8a7c3d33eea3726ed17df6ea55c5
                                                  • Instruction Fuzzy Hash: 9AD067759052688EDB64DF60C8947EDB6B1AB15341F5016D58045A6250D7780BC5CF01
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05005876, Relevance: .0, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ef1e6cb87bf59a60ed3e5d7ef35a34a2e6057685e73a9b5f3fe4143e7087f163
                                                  • Instruction ID: 912bfa785b716f335b70e7138e04fe2679cba98a3f27e9224060fb7c47d96684
                                                  • Opcode Fuzzy Hash: ef1e6cb87bf59a60ed3e5d7ef35a34a2e6057685e73a9b5f3fe4143e7087f163
                                                  • Instruction Fuzzy Hash: FFD0C971805384CFCB54CFA0E14488CBBB1EB09316F505469900A9B269C735AA80CF04
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 050086B9, Relevance: .0, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8ff137d9de616222c2a8a1601c0ebab5b2b937e0137ba3acc13422e76a39811b
                                                  • Instruction ID: 039a17aef819fb6e68b34834a0f81daa2b27357337f8c80ee05c7c3ba2bede12
                                                  • Opcode Fuzzy Hash: 8ff137d9de616222c2a8a1601c0ebab5b2b937e0137ba3acc13422e76a39811b
                                                  • Instruction Fuzzy Hash: CFD0C930A0631EEEDB24CB58D981A8CBBB6FB05258F1066AA944496148D374AA42CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500B45E, Relevance: .0, Instructions: 8COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: abd3fd795faa62d8d4d37b221bccc89a2c7cf805bc634aec9b565a47a23264bc
                                                  • Instruction ID: 43374d666d528325d1fbe3cb7304da327197b42e309ce214a0b390b9b77901c2
                                                  • Opcode Fuzzy Hash: abd3fd795faa62d8d4d37b221bccc89a2c7cf805bc634aec9b565a47a23264bc
                                                  • Instruction Fuzzy Hash: 90C04C31829205EFD734CF51F9C855DBFB5F749251B203415A046AA554C7349940CF49
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 05009209, Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: NTGf
                                                  • API String ID: 0-718498769
                                                  • Opcode ID: 1721fdd981c0fe3d0379959afe5b11f7086bc2ae47b5f21be0c2d055ab68d792
                                                  • Instruction ID: 9eeaf4ec1114374485f55d793769b0e452796f44336ea29664e275593f10dd11
                                                  • Opcode Fuzzy Hash: 1721fdd981c0fe3d0379959afe5b11f7086bc2ae47b5f21be0c2d055ab68d792
                                                  • Instruction Fuzzy Hash: 0DC16C70D08259DFDB04CFA5D5805ACFBF2FF89304F2496AAD444AB28AD3349A42DF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05009250, Relevance: 1.5, Strings: 1, Instructions: 241COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: NTGf
                                                  • API String ID: 0-718498769
                                                  • Opcode ID: 9984cd3e88e93ec527be5a48a729973218283642c77ffdddc2c04d5eaa63e72d
                                                  • Instruction ID: 3bfb794159cc68ef0f82820d8751abd81df95fa5fbbf384067bab732b13f1d9c
                                                  • Opcode Fuzzy Hash: 9984cd3e88e93ec527be5a48a729973218283642c77ffdddc2c04d5eaa63e72d
                                                  • Instruction Fuzzy Hash: 67B12774D04258DFDB04DFA6D5809ACFBF2FB89308F24966AD405AB24AC3359E42CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05007908, Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: X(F
                                                  • API String ID: 0-778343407
                                                  • Opcode ID: 5b04e7f638268a391c7353bf28088cca1cfd2ee5a7b8d8d0f0d1f37447187e66
                                                  • Instruction ID: 4a2074ffdd781a9b210b296cc0f1e1c0e81784d095edb01badbcaebed0d39fed
                                                  • Opcode Fuzzy Hash: 5b04e7f638268a391c7353bf28088cca1cfd2ee5a7b8d8d0f0d1f37447187e66
                                                  • Instruction Fuzzy Hash: 1C6102B4D1961ADFDF04CFAAD5419AEFBF2FB88300F10A56AD415BB254D338AA018F54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 050078F9, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: X(F
                                                  • API String ID: 0-778343407
                                                  • Opcode ID: 81b990733f41c621e4f89c951a80f3c269323f47fafb400665fe074081b1f200
                                                  • Instruction ID: a5fd0b2e3b55b91ba37ddfef76f41188efabc1c02f7f4b30a9ab69319282ce12
                                                  • Opcode Fuzzy Hash: 81b990733f41c621e4f89c951a80f3c269323f47fafb400665fe074081b1f200
                                                  • Instruction Fuzzy Hash: E96110B4D1921ADFDF04CFAAD5409AEBBF2FB89300F10A56AD415BB254D338AA01CF54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05009A48, Relevance: .2, Instructions: 230COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fa970a4bbc5a69ec4cb607f7423fa7f01c6f6bf42e8346dc553cca8cda7d7663
                                                  • Instruction ID: 13d8e7e667b5072c9b6dec651d3450a21e70c8ceb37a56709ae287230ad4aaef
                                                  • Opcode Fuzzy Hash: fa970a4bbc5a69ec4cb607f7423fa7f01c6f6bf42e8346dc553cca8cda7d7663
                                                  • Instruction Fuzzy Hash: 13A15770D05259CFDB04CFE6E5809AEBBF2FF89310F24995AD411AB295D7309A42CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500C711, Relevance: .2, Instructions: 195COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a961f477e6853151bd4025523e4cc61c87720150708acadf118369ccd7fbddce
                                                  • Instruction ID: 7cd3ad39b8cef6167d9b31e7fb863d6dec53ce9bf5df143fd934e2be1ae28b75
                                                  • Opcode Fuzzy Hash: a961f477e6853151bd4025523e4cc61c87720150708acadf118369ccd7fbddce
                                                  • Instruction Fuzzy Hash: 2C8118B0D0525ECFEB04CFA4E6455BEFBF1FB59200F10A91AC419BB294D7705A018FA6
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 050046AA, Relevance: .1, Instructions: 143COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b5bdc3914efe178c7d2843ae8eebcfd9e315936bd76c360ed77fcb8fe65ce72a
                                                  • Instruction ID: 660fe07f147c6dc667b1bf8046e0ea1eda2ea7ce545707e80d4311f3d9548d7f
                                                  • Opcode Fuzzy Hash: b5bdc3914efe178c7d2843ae8eebcfd9e315936bd76c360ed77fcb8fe65ce72a
                                                  • Instruction Fuzzy Hash: F6511470D0524ADFDB04CFA8E6809AEBBF2FB49300F24A569C506BB255D3309E41CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05009EAA, Relevance: .1, Instructions: 139COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 243a0dc5d7f81af91bd846ff71d71f5926775bc5cdf96f27c78fbbecc2f2b786
                                                  • Instruction ID: 7f477038d257f89929b6a04930551d37c74870945e4bde2f827d9aed0934fe91
                                                  • Opcode Fuzzy Hash: 243a0dc5d7f81af91bd846ff71d71f5926775bc5cdf96f27c78fbbecc2f2b786
                                                  • Instruction Fuzzy Hash: 6F516970D052098FEB04CFA6D451AFEFBF2FF49210F24A959D410BB2A6D7349A02CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500ACC8, Relevance: .1, Instructions: 131COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f93c9b4e2e6cb12621e3501d50cbb494a2888e75267f75cff6209be330ae798f
                                                  • Instruction ID: 999da098d6f1788f37a1c651d2510855692dd9ef8b2a59a850c6e86c139062a1
                                                  • Opcode Fuzzy Hash: f93c9b4e2e6cb12621e3501d50cbb494a2888e75267f75cff6209be330ae798f
                                                  • Instruction Fuzzy Hash: 00512670E04259DFDB14CFAAD5805ADFBF2FB89304F24D26AC415AB259D7359A42CF80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500ACB8, Relevance: .1, Instructions: 129COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cc6f1e0b0b1385a3059f60428b42a2afa83ab4a4bf71a2917eb509e9773b8a12
                                                  • Instruction ID: 71d928e7f564880dc60653ca392012ee8ede3c9073a676e031d3211a68c74483
                                                  • Opcode Fuzzy Hash: cc6f1e0b0b1385a3059f60428b42a2afa83ab4a4bf71a2917eb509e9773b8a12
                                                  • Instruction Fuzzy Hash: E6511770E04259DFDB14CFAAD5805ADBBF2FF89304F24D26AC415AB299D7749A42CF80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500A0F8, Relevance: .1, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1943af50c7f05c90f042ec73c94876a719e46a0e67429ba45da32e328c1cc83a
                                                  • Instruction ID: 9e15120a632abf7c410e774f223ca9c3cdce29a1e95ae8715e1023aaf388dafe
                                                  • Opcode Fuzzy Hash: 1943af50c7f05c90f042ec73c94876a719e46a0e67429ba45da32e328c1cc83a
                                                  • Instruction Fuzzy Hash: CE414C74E04258DFEB14CFA6D5805ADFBF2FB89304F24D26AC418AB249D7349A42CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500A0E8, Relevance: .1, Instructions: 112COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8e4009251ecda2cfa1691f7c2c0fde484b1971f94c68bb81e7e1a01c23b86e93
                                                  • Instruction ID: fe78c7b48f3c6319a87c0e61b03a4a9cac935324fc6117e92b811bc85a0797d0
                                                  • Opcode Fuzzy Hash: 8e4009251ecda2cfa1691f7c2c0fde484b1971f94c68bb81e7e1a01c23b86e93
                                                  • Instruction Fuzzy Hash: 5B512874E04259DFEB14CFA6C5805ADFBF2BB89304F24D26AC414AB299D3349A42DF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05007B60, Relevance: .1, Instructions: 109COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 925ce5ccbaa5dbbc5cffcfa7888122d0effde53c3d1f26d6a5b954c89feafbcb
                                                  • Instruction ID: e8442c369e4b5d476bb803807c8c7f50f6e9d3b233d6d5999e1a139bff8c6147
                                                  • Opcode Fuzzy Hash: 925ce5ccbaa5dbbc5cffcfa7888122d0effde53c3d1f26d6a5b954c89feafbcb
                                                  • Instruction Fuzzy Hash: F7412D74D0520ADFDB04CF99D5815AEFBB2EF84310F20A46AC815BB255D738AA41CB95
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05007B70, Relevance: .1, Instructions: 105COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9ebfe414c2dccbc48b569e303f5c6903fb213ce31c5fb1e982339340c6416822
                                                  • Instruction ID: 11844f0cdc43423f1fc904a78619ddf3c4c3c568023f034071387c33e2260bfb
                                                  • Opcode Fuzzy Hash: 9ebfe414c2dccbc48b569e303f5c6903fb213ce31c5fb1e982339340c6416822
                                                  • Instruction Fuzzy Hash: 20413C74D0520EDFDB04CF99D5815AEFBB2FF88310F20A46AC805BB254D738AA41CBA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05007D52, Relevance: .1, Instructions: 104COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d0e178736396349159976f4f3e58d9292c7ba2e98def04a3e059b0663ffcc4db
                                                  • Instruction ID: c5c235377c3d2bfef6a2a018d16f36cff1e6968ffa13389e441b0872e948a32c
                                                  • Opcode Fuzzy Hash: d0e178736396349159976f4f3e58d9292c7ba2e98def04a3e059b0663ffcc4db
                                                  • Instruction Fuzzy Hash: FF4126B0E016188FEB58CFAAD984A9EFBF2FF85314F04D1AAD508AB255D7709941CF41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05007728, Relevance: .1, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: eca43c4c8beb196da69e9e93d0be870db806b4b8c9378dfd65e0874f90984ed7
                                                  • Instruction ID: 00ad4096d6d0a0a2c9266dfef26ebd82daeaacadae6ef3db03f9ac9f8930abee
                                                  • Opcode Fuzzy Hash: eca43c4c8beb196da69e9e93d0be870db806b4b8c9378dfd65e0874f90984ed7
                                                  • Instruction Fuzzy Hash: 814109B0D0520ADFDB08CFA6D5815AEFBF2FB88340F10D46AC515AB250D738AA41CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05007738, Relevance: .1, Instructions: 89COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3def9ccdbaf0fe82b3e0b43db242c5b8979fca871d02e5ab4bfea6dbdfc2d6be
                                                  • Instruction ID: c67fdefd3b9b5d3f27c0d4421f58f8ac05969354261a9b3b3ef4c92fc575c6f9
                                                  • Opcode Fuzzy Hash: 3def9ccdbaf0fe82b3e0b43db242c5b8979fca871d02e5ab4bfea6dbdfc2d6be
                                                  • Instruction Fuzzy Hash: 0B31D6B0D0520ADFDB08CF9AD5815AEFBF2FF88340F10A46AD519AB254D738A645CF94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05008C97, Relevance: .1, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8f6436718f347ecd3cb6edecff781f3fd999ca36380d5aed98d159569825a84e
                                                  • Instruction ID: 1a0a6889b622f6a42dd5ba3aac6d69218a02842d8d54c5e35c6ccf764da3baf8
                                                  • Opcode Fuzzy Hash: 8f6436718f347ecd3cb6edecff781f3fd999ca36380d5aed98d159569825a84e
                                                  • Instruction Fuzzy Hash: F7211D71D197548FEB09CFBA98511DEBFF2BF8A210F18D0BBC404EB2A6D67845068B51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500A6C8, Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3bf82421730d1c33b19f27e92bdc466ddde5e49bfdddb8887a2fd322be2c87f5
                                                  • Instruction ID: 0625947c4f565193f133edc4eb6ea3c44aa439e68353c11509835ce70af502a7
                                                  • Opcode Fuzzy Hash: 3bf82421730d1c33b19f27e92bdc466ddde5e49bfdddb8887a2fd322be2c87f5
                                                  • Instruction Fuzzy Hash: AE1107B0E05219CBEB28CFA7E9405AEFBF3BBC9200F14D16AC414A7255DB3456068F51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0500A6C0, Relevance: .0, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9a2154026dcda81731349e338fd5c2cd9c75833fc4ec48b60a3e8e8e6eabf60b
                                                  • Instruction ID: 7a6394689220db2f93f68ba91765e05b6bb098fd8630e6e23e83d5dd4b782c2b
                                                  • Opcode Fuzzy Hash: 9a2154026dcda81731349e338fd5c2cd9c75833fc4ec48b60a3e8e8e6eabf60b
                                                  • Instruction Fuzzy Hash: F51125B0E00709CFEB58CFAA99445AEBBF3BBC8200F14C47AC414AB255DB3846468F51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05008CD0, Relevance: .0, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.239319495.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9cdc3abb668cce676654bca46550981856c6c5816e6c14e83602c6e04be4de1c
                                                  • Instruction ID: 1c8d698aff6ac46e49db9f973526b020fb38332897ab33bc67a28907bfade13f
                                                  • Opcode Fuzzy Hash: 9cdc3abb668cce676654bca46550981856c6c5816e6c14e83602c6e04be4de1c
                                                  • Instruction Fuzzy Hash: 0711CCB1D046098BEB18CFAB99411AEFBF3BFC8200F24D57A8418A7255D77456018F41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Analysis Process: ORDER.exe PID: 6052 Parent PID: 5428 ORDER.exeCOMMON

                                                  Executed Functions

                                                  Function 029305CF, Relevance: .0, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.249775741.0000000002930000.00000040.00000040.sdmp, Offset: 02930000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 139a0ded64605605c70b37426e2b2b5b77692144664d2162b1236bc0d6e3059d
                                                  • Instruction ID: 565bb37bb01ab263227be7e87dcdcd482cf573dd78bf22336849b076bbe9814d
                                                  • Opcode Fuzzy Hash: 139a0ded64605605c70b37426e2b2b5b77692144664d2162b1236bc0d6e3059d
                                                  • Instruction Fuzzy Hash: 4E01A2765097806FD7128F1AAC40862FFA8DE8663070884DFED898B612D125A908CB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 029305F6, Relevance: .0, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.249775741.0000000002930000.00000040.00000040.sdmp, Offset: 02930000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1cd3102d2329f78e578aae2f92ff1276273f8814f6b193e394d493deb04633d8
                                                  • Instruction ID: 7a9da033b44e9edfea1f9e2ddc19c66c2a3395b8e681b7b7660b7d7605424107
                                                  • Opcode Fuzzy Hash: 1cd3102d2329f78e578aae2f92ff1276273f8814f6b193e394d493deb04633d8
                                                  • Instruction Fuzzy Hash: C7E06D766406008B9650CF0AEC41466F798EB88630B18C46FDC0D8B711E175B5088EA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BB23F4, Relevance: .0, Instructions: 15COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.249588417.0000000000BB2000.00000040.00000001.sdmp, Offset: 00BB2000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bf31810a49bf2f7dd72631c715d4e8907669e3334e63f8259ff8856e68076999
                                                  • Instruction ID: 75e82199f04b966804a7cb429d7c3ddfcc7d7c2d76d6d4f5ea27f155c1c8c9cd
                                                  • Opcode Fuzzy Hash: bf31810a49bf2f7dd72631c715d4e8907669e3334e63f8259ff8856e68076999
                                                  • Instruction Fuzzy Hash: EED05E79215A818FD3268B1CC1A9BE53FD4EF51B05F4644FDE8008BB63C3A8D981D200
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BB23BC, Relevance: .0, Instructions: 14COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.249588417.0000000000BB2000.00000040.00000001.sdmp, Offset: 00BB2000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a0b663968a27cb063253806730baabe829285b16e0e27233e2c822867692f793
                                                  • Instruction ID: fe9884c841ee514865849cf95bcd211d4cbb0c4ebdb9ae847bf693dbf7e4b67d
                                                  • Opcode Fuzzy Hash: a0b663968a27cb063253806730baabe829285b16e0e27233e2c822867692f793
                                                  • Instruction Fuzzy Hash: C9D05E342002818FC715DB0CC594FA937D4EB41B00F0644E8AC008B662C3A8DCC1C600
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions