Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report #1002021.exe

Overview

General Information

Sample Name:#1002021.exe
Analysis ID:383981
MD5:6208b6541936333f498204d1ec7234db
SHA1:62a31f0f710ce7af593ff6ce28d22b8fe1ca8097
SHA256:c1f2ef3f7a994adba520b81e95a6c792a263d574247d66b7d1e3edce99a4910d
Tags:AgentTesla
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • #1002021.exe (PID: 4612 cmdline: 'C:\Users\user\Desktop\#1002021.exe' MD5: 6208B6541936333F498204D1EC7234DB)
    • #1002021.exe (PID: 2672 cmdline: {path} MD5: 6208B6541936333F498204D1EC7234DB)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "ekwe@yillyenterprise.com^1.kk2[?w-Yzmail.yillyenterprise.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.497062143.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.507026512.0000000002B41000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.260493550.0000000004229000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: #1002021.exe PID: 4612JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: #1002021.exe PID: 4612JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.#1002021.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.#1002021.exe.43d9ba0.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.#1002021.exe.43d9ba0.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 2.2.#1002021.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "ekwe@yillyenterprise.com^1.kk2[?w-Yzmail.yillyenterprise.com"}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: #1002021.exeReversingLabs: Detection: 35%
                  Source: 2.2.#1002021.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: #1002021.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: #1002021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                  Networking:

                  barindex
                  Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                  Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.7:49705 -> 103.6.198.237:587
                  Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.7:49706 -> 103.6.198.237:587
                  Source: global trafficTCP traffic: 192.168.2.7:49705 -> 103.6.198.237:587
                  Source: Joe Sandbox ViewASN Name: EXABYTES-AS-APExaBytesNetworkSdnBhdMY EXABYTES-AS-APExaBytesNetworkSdnBhdMY
                  Source: global trafficTCP traffic: 192.168.2.7:49705 -> 103.6.198.237:587
                  Source: unknownDNS traffic detected: queries for: mail.yillyenterprise.com
                  Source: #1002021.exe, 00000002.00000002.507026512.0000000002B41000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: #1002021.exe, 00000002.00000002.509134848.0000000002DA9000.00000004.00000001.sdmpString found in binary or memory: http://5TEa8DtAtM9Dv.org
                  Source: #1002021.exe, 00000002.00000002.507026512.0000000002B41000.00000004.00000001.sdmpString found in binary or memory: http://BtAllR.com
                  Source: #1002021.exe, 00000002.00000002.507026512.0000000002B41000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: #1002021.exe, 00000000.00000003.233272249.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                  Source: #1002021.exe, 00000000.00000003.233010054.000000000612B000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: #1002021.exe, 00000000.00000003.232991542.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com(s
                  Source: #1002021.exe, 00000000.00000003.232954091.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com)x
                  Source: #1002021.exe, 00000002.00000002.509235147.0000000002DF0000.00000004.00000001.sdmpString found in binary or memory: http://mail.yillyenterprise.com
                  Source: #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: #1002021.exe, 00000000.00000003.238160871.0000000006132000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000003.237834875.0000000006133000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                  Source: #1002021.exe, 00000000.00000003.236527692.000000000612F000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000003.236825430.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                  Source: #1002021.exe, 00000000.00000003.236527692.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com.
                  Source: #1002021.exe, 00000000.00000003.236050979.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comB
                  Source: #1002021.exe, 00000000.00000003.236345460.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comEac
                  Source: #1002021.exe, 00000000.00000003.236527692.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coma
                  Source: #1002021.exe, 00000000.00000003.236825430.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comadiIo
                  Source: #1002021.exe, 00000000.00000003.236345460.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comct
                  Source: #1002021.exe, 00000000.00000003.236825430.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comd
                  Source: #1002021.exe, 00000000.00000003.236527692.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.come
                  Source: #1002021.exe, 00000000.00000003.236825430.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comexcyx
                  Source: #1002021.exe, 00000000.00000003.236825430.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comhly
                  Source: #1002021.exe, 00000000.00000003.236345460.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comig
                  Source: #1002021.exe, 00000000.00000003.236050979.000000000612F000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: #1002021.exe, 00000000.00000003.236527692.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-u
                  Source: #1002021.exe, 00000000.00000003.236527692.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-uPo
                  Source: #1002021.exe, 00000000.00000003.236050979.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comncy
                  Source: #1002021.exe, 00000000.00000003.236258079.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
                  Source: #1002021.exe, 00000000.00000003.236345460.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comona
                  Source: #1002021.exe, 00000000.00000003.236050979.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comroagx
                  Source: #1002021.exe, 00000000.00000003.236136279.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coms
                  Source: #1002021.exe, 00000000.00000003.236993027.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comypo
                  Source: #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: #1002021.exe, 00000000.00000003.247066207.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: #1002021.exe, 00000000.00000003.240149325.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                  Source: #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: #1002021.exe, 00000000.00000003.241881177.000000000614E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlP
                  Source: #1002021.exe, 00000000.00000003.241434699.000000000614E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmll
                  Source: #1002021.exe, 00000000.00000003.241066365.000000000614E000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000003.241155918.000000000612B000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: #1002021.exe, 00000000.00000003.241516438.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersX
                  Source: #1002021.exe, 00000000.00000003.241760287.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersb
                  Source: #1002021.exe, 00000000.00000003.240592424.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersh
                  Source: #1002021.exe, 00000000.00000002.259657704.00000000018D7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comgreta
                  Source: #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: #1002021.exe, 00000000.00000003.235268592.0000000006132000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000003.234746931.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: #1002021.exe, 00000000.00000003.235151202.0000000006132000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                  Source: #1002021.exe, 00000000.00000003.234887417.0000000006132000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/:oS
                  Source: #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: #1002021.exe, 00000000.00000003.234673870.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnhk
                  Source: #1002021.exe, 00000000.00000003.234673870.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnk
                  Source: #1002021.exe, 00000000.00000003.235268592.0000000006132000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnnie
                  Source: #1002021.exe, 00000000.00000003.234746931.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnosoxk
                  Source: #1002021.exe, 00000000.00000003.235268592.0000000006132000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnrh
                  Source: #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: #1002021.exe, 00000000.00000003.244015705.000000000612B000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000003.243832328.000000000612B000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: #1002021.exe, 00000000.00000003.234356458.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krkrF
                  Source: #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: #1002021.exe, 00000000.00000003.239769294.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                  Source: #1002021.exe, 00000000.00000003.244015705.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype./
                  Source: #1002021.exe, 00000000.00000003.231945776.0000000006112000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: #1002021.exe, 00000000.00000003.231945776.0000000006112000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma
                  Source: #1002021.exe, 00000000.00000003.237834875.0000000006133000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: #1002021.exe, 00000000.00000003.234231804.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: #1002021.exe, 00000000.00000003.234231804.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krF
                  Source: #1002021.exe, 00000000.00000003.234356458.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krm
                  Source: #1002021.exe, 00000000.00000003.234356458.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krtp
                  Source: #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: #1002021.exe, 00000000.00000003.236993027.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comslnt
                  Source: #1002021.exe, 00000000.00000003.235341381.00000000018DC000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comz
                  Source: #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: #1002021.exe, 00000000.00000003.239769294.000000000612B000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000003.242060423.000000000612B000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000003.241903401.0000000006137000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                  Source: #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: #1002021.exe, 00000000.00000003.241903401.0000000006137000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deFyYl
                  Source: #1002021.exe, 00000000.00000003.239769294.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.defl
                  Source: #1002021.exe, 00000000.00000003.239667019.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.det
                  Source: #1002021.exe, 00000000.00000003.235727969.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: #1002021.exe, 00000000.00000003.235656212.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn(ii
                  Source: #1002021.exe, 00000000.00000003.235656212.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cna
                  Source: #1002021.exe, 00000000.00000003.235656212.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnsofD
                  Source: #1002021.exe, 00000000.00000003.235656212.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnw
                  Source: #1002021.exe, 00000002.00000002.509235147.0000000002DF0000.00000004.00000001.sdmpString found in binary or memory: http://yillyenterprise.com
                  Source: #1002021.exeString found in binary or memory: https://github.com/michel-pi/EasyBot.Net
                  Source: #1002021.exe, 00000000.00000002.260493550.0000000004229000.00000004.00000001.sdmp, #1002021.exe, 00000002.00000002.497062143.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: #1002021.exe, 00000002.00000002.507026512.0000000002B41000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                  Source: #1002021.exe, 00000000.00000002.259326859.00000000014FB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  System Summary:

                  barindex
                  .NET source code contains very large array initializationsShow sources
                  Source: 2.2.#1002021.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b64D54FA0u002dDCE6u002d4D17u002d90E5u002d01D5DCD649E7u007d/E665D213u002dE6B6u002d4438u002d9BD5u002d2DBC4037211B.csLarge array initialization: .cctor: array initializer size 11944
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_00D792F30_2_00D792F3
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_018550300_2_01855030
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_018500400_2_01850040
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_018552E00_2_018552E0
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_01851F480_2_01851F48
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_018528D90_2_018528D9
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_018528E80_2_018528E8
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_018500120_2_01850012
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_018550200_2_01855020
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_018513620_2_01851362
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_01856B6A0_2_01856B6A
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_01853AA10_2_01853AA1
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_01853AB00_2_01853AB0
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_01856AB80_2_01856AB8
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_01856AC80_2_01856AC8
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_018552D10_2_018552D1
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_018515DD0_2_018515DD
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_01854D000_2_01854D00
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_01854D100_2_01854D10
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_018555390_2_01855539
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_018555520_2_01855552
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_018555720_2_01855572
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_018524100_2_01852410
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_01850FA70_2_01850FA7
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_01850FD80_2_01850FD8
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_01851F390_2_01851F39
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_018516100_2_01851610
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_056A66880_2_056A6688
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_056A01280_2_056A0128
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_056A66680_2_056A6668
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_056A011A0_2_056A011A
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 2_2_007992F32_2_007992F3
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 2_2_00FC46A02_2_00FC46A0
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 2_2_00FC46902_2_00FC4690
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 2_2_00FC46722_2_00FC4672
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 2_2_05F945D82_2_05F945D8
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 2_2_05F97E702_2_05F97E70
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 2_2_05F9007A2_2_05F9007A
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 2_2_05F9A8202_2_05F9A820
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 2_2_05F9E8182_2_05F9E818
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 2_2_05F953C02_2_05F953C0
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 2_2_05F952C12_2_05F952C1
                  Source: #1002021.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: #1002021.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: #1002021.exeBinary or memory string: OriginalFilename vs #1002021.exe
                  Source: #1002021.exe, 00000000.00000002.271508945.0000000007D70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs #1002021.exe
                  Source: #1002021.exe, 00000000.00000002.266357883.0000000004729000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs #1002021.exe
                  Source: #1002021.exe, 00000000.00000002.260493550.0000000004229000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameexoUqrJZudHREjogRnRvJGlrAcwRCcAwmeAsDDz.exe4 vs #1002021.exe
                  Source: #1002021.exe, 00000000.00000002.260198653.0000000003221000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMetroFramework.dll> vs #1002021.exe
                  Source: #1002021.exeBinary or memory string: OriginalFilename vs #1002021.exe
                  Source: #1002021.exe, 00000002.00000002.502728356.0000000000E18000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs #1002021.exe
                  Source: #1002021.exe, 00000002.00000002.497062143.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameexoUqrJZudHREjogRnRvJGlrAcwRCcAwmeAsDDz.exe4 vs #1002021.exe
                  Source: #1002021.exe, 00000002.00000002.505988471.00000000011A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs #1002021.exe
                  Source: #1002021.exe, 00000002.00000002.505956956.0000000001190000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs #1002021.exe
                  Source: #1002021.exe, 00000002.00000002.505887561.0000000001120000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs #1002021.exe
                  Source: #1002021.exe, 00000002.00000002.499451393.00000000009E8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs #1002021.exe
                  Source: #1002021.exeBinary or memory string: OriginalFilename vs #1002021.exe
                  Source: #1002021.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: #1002021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: 2.2.#1002021.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 2.2.#1002021.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: #1002021.exe, 00000000.00000003.243832328.000000000612B000.00000004.00000001.sdmpBinary or memory string: is a registered trademark of Bigelow & Holmes Inc.slnt
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@2/1
                  Source: C:\Users\user\Desktop\#1002021.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#1002021.exe.logJump to behavior
                  Source: #1002021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\#1002021.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\#1002021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\#1002021.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: #1002021.exeReversingLabs: Detection: 35%
                  Source: unknownProcess created: C:\Users\user\Desktop\#1002021.exe 'C:\Users\user\Desktop\#1002021.exe'
                  Source: C:\Users\user\Desktop\#1002021.exeProcess created: C:\Users\user\Desktop\#1002021.exe {path}
                  Source: C:\Users\user\Desktop\#1002021.exeProcess created: C:\Users\user\Desktop\#1002021.exe {path}Jump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: #1002021.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: #1002021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                  Data Obfuscation:

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)Show sources
                  Source: #1002021.exe, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                  Source: 0.2.#1002021.exe.d70000.0.unpack, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                  Source: 2.2.#1002021.exe.790000.1.unpack, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_01855B8B push edx; retf 0_2_01855B8E
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_0185A576 push dword ptr [edx+ebp*2-75h]; iretd 0_2_0185A57F
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_01858570 push 0000005Dh; ret 0_2_018585A1
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_056ACF7B push esp; retf 0_2_056ACF81
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 2_2_05F934EC push eax; retf 2_2_05F934ED
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.89650748238
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion:

                  barindex
                  Yara detected AntiVM3Show sources
                  Source: Yara matchFile source: Process Memory Space: #1002021.exe PID: 4612, type: MEMORY
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\#1002021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\#1002021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: #1002021.exe, 00000000.00000002.271583945.00000000081B1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: #1002021.exe, 00000000.00000002.271583945.00000000081B1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\#1002021.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeWindow / User API: threadDelayed 3344Jump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeWindow / User API: threadDelayed 6433Jump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exe TID: 4456Thread sleep time: -31500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exe TID: 2116Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exe TID: 5108Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exe TID: 5052Thread sleep count: 3344 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exe TID: 5052Thread sleep count: 6433 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exe TID: 5108Thread sleep count: 36 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\#1002021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\#1002021.exeThread delayed: delay time: 31500Jump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: #1002021.exe, 00000000.00000002.271583945.00000000081B1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                  Source: #1002021.exe, 00000000.00000002.271583945.00000000081B1000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: #1002021.exe, 00000000.00000002.271583945.00000000081B1000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: #1002021.exe, 00000000.00000002.271583945.00000000081B1000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: #1002021.exe, 00000000.00000002.271583945.00000000081B1000.00000004.00000001.sdmpBinary or memory string: VMWARE
                  Source: #1002021.exe, 00000000.00000002.271583945.00000000081B1000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: #1002021.exe, 00000002.00000002.505109246.0000000000ED1000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?
                  Source: #1002021.exe, 00000000.00000002.271583945.00000000081B1000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: #1002021.exe, 00000000.00000002.271583945.00000000081B1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                  Source: #1002021.exe, 00000000.00000002.271583945.00000000081B1000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  .NET source code references suspicious native API functionsShow sources
                  Source: #1002021.exe, ImageManager/PInvoke/WinApi.csReference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
                  Source: 0.0.#1002021.exe.d70000.0.unpack, ImageManager/PInvoke/WinApi.csReference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
                  Source: 0.2.#1002021.exe.d70000.0.unpack, ImageManager/PInvoke/WinApi.csReference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
                  Source: 2.0.#1002021.exe.790000.0.unpack, ImageManager/PInvoke/WinApi.csReference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
                  Source: 2.2.#1002021.exe.790000.1.unpack, ImageManager/PInvoke/WinApi.csReference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
                  Source: 2.2.#1002021.exe.400000.0.unpack, A/b2.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                  Injects a PE file into a foreign processesShow sources
                  Source: C:\Users\user\Desktop\#1002021.exeMemory written: C:\Users\user\Desktop\#1002021.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess created: C:\Users\user\Desktop\#1002021.exe {path}Jump to behavior
                  Source: #1002021.exe, 00000002.00000002.506230894.00000000015A0000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
                  Source: #1002021.exe, 00000002.00000002.506230894.00000000015A0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: #1002021.exe, 00000002.00000002.506230894.00000000015A0000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: #1002021.exe, 00000002.00000002.506230894.00000000015A0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Users\user\Desktop\#1002021.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Users\user\Desktop\#1002021.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000002.00000002.497062143.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.260493550.0000000004229000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: #1002021.exe PID: 4612, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: #1002021.exe PID: 2672, type: MEMORY
                  Source: Yara matchFile source: 2.2.#1002021.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.#1002021.exe.43d9ba0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.#1002021.exe.43d9ba0.3.unpack, type: UNPACKEDPE
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\#1002021.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\#1002021.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                  Tries to harvest and steal ftp login credentialsShow sources
                  Source: C:\Users\user\Desktop\#1002021.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                  Tries to steal Mail credentials (via file access)Show sources
                  Source: C:\Users\user\Desktop\#1002021.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Yara matchFile source: 00000002.00000002.507026512.0000000002B41000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: #1002021.exe PID: 2672, type: MEMORY

                  Remote Access Functionality:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000002.00000002.497062143.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.260493550.0000000004229000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: #1002021.exe PID: 4612, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: #1002021.exe PID: 2672, type: MEMORY
                  Source: Yara matchFile source: 2.2.#1002021.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.#1002021.exe.43d9ba0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.#1002021.exe.43d9ba0.3.unpack, type: UNPACKEDPE

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Security Software Discovery211Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Input Capture1Process Discovery2Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Credentials in Registry1Virtualization/Sandbox Evasion131SMB/Windows Admin SharesArchive Collected Data11Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelData from Local System2Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Information Discovery114VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  #1002021.exe35%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  2.2.#1002021.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                  Domains

                  SourceDetectionScannerLabelLink
                  yillyenterprise.com0%VirustotalBrowse
                  mail.yillyenterprise.com0%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                  http://www.carterandcone.comn-uPo0%Avira URL Cloudsafe
                  http://www.carterandcone.comn-u0%URL Reputationsafe
                  http://www.carterandcone.comn-u0%URL Reputationsafe
                  http://www.carterandcone.comn-u0%URL Reputationsafe
                  http://www.carterandcone.comn-u0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://5TEa8DtAtM9Dv.org0%Avira URL Cloudsafe
                  http://fontfabrik.com)x0%Avira URL Cloudsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.zhongyicts.com.cn(ii0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cnrh0%Avira URL Cloudsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.carterandcone.com0%URL Reputationsafe
                  http://www.carterandcone.com0%URL Reputationsafe
                  http://www.carterandcone.com0%URL Reputationsafe
                  http://www.carterandcone.comexcyx0%Avira URL Cloudsafe
                  http://www.carterandcone.com.0%URL Reputationsafe
                  http://www.carterandcone.com.0%URL Reputationsafe
                  http://www.carterandcone.com.0%URL Reputationsafe
                  http://www.carterandcone.comypo0%Avira URL Cloudsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.carterandcone.comB0%Avira URL Cloudsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.founder.com.cn/cnk0%Avira URL Cloudsafe
                  http://www.fontbureau.comgreta0%Avira URL Cloudsafe
                  http://www.carterandcone.comEac0%Avira URL Cloudsafe
                  http://www.carterandcone.comroagx0%Avira URL Cloudsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                  http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                  http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                  http://www.founder.com.cn/cnosoxk0%Avira URL Cloudsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sajatypeworks.coma0%URL Reputationsafe
                  http://www.sajatypeworks.coma0%URL Reputationsafe
                  http://www.sajatypeworks.coma0%URL Reputationsafe
                  http://www.sandoll.co.krF0%Avira URL Cloudsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.sandoll.co.krtp0%Avira URL Cloudsafe
                  http://www.urwpp.de0%URL Reputationsafe
                  http://www.urwpp.de0%URL Reputationsafe
                  http://www.urwpp.de0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.carterandcone.como.0%URL Reputationsafe
                  http://www.carterandcone.como.0%URL Reputationsafe
                  http://www.carterandcone.como.0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.carterandcone.comig0%Avira URL Cloudsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  http://www.urwpp.defl0%Avira URL Cloudsafe
                  http://www.carterandcone.coma0%URL Reputationsafe
                  http://www.carterandcone.coma0%URL Reputationsafe
                  http://www.carterandcone.coma0%URL Reputationsafe
                  http://www.tiro.comz0%Avira URL Cloudsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://www.carterandcone.come0%URL Reputationsafe
                  http://www.carterandcone.come0%URL Reputationsafe
                  http://www.carterandcone.come0%URL Reputationsafe
                  http://www.carterandcone.comd0%URL Reputationsafe
                  http://www.carterandcone.comd0%URL Reputationsafe
                  http://www.carterandcone.comd0%URL Reputationsafe
                  http://www.carterandcone.comct0%Avira URL Cloudsafe
                  http://www.tiro.comslnt0%URL Reputationsafe
                  http://www.tiro.comslnt0%URL Reputationsafe
                  http://www.tiro.comslnt0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  yillyenterprise.com
                  		103.6.198.237
                  		truetrueunknown
                  mail.yillyenterprise.com
                  		unknown
                  		unknowntrueunknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://127.0.0.1:HTTP/1.1#1002021.exe, 00000002.00000002.507026512.0000000002B41000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  http://www.fontbureau.com/designersG#1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpfalse
                    		high
                    http://www.carterandcone.comn-uPo#1002021.exe, 00000000.00000003.236527692.000000000612F000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.carterandcone.comn-u#1002021.exe, 00000000.00000003.236527692.000000000612F000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/?#1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bThe#1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://github.com/michel-pi/EasyBot.Net#1002021.exefalse
                        		high
                        http://www.fontbureau.com/designers?#1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpfalse
                          		high
                          http://5TEa8DtAtM9Dv.org#1002021.exe, 00000002.00000002.509134848.0000000002DA9000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://fontfabrik.com)x#1002021.exe, 00000000.00000003.232954091.000000000612B000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://www.fontbureau.com/designersX#1002021.exe, 00000000.00000003.241516438.000000000612B000.00000004.00000001.sdmpfalse
                            		high
                            http://www.tiro.com#1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.zhongyicts.com.cn(ii#1002021.exe, 00000000.00000003.235656212.000000000612F000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		low
                            http://www.fontbureau.com/designers#1002021.exe, 00000000.00000003.247066207.000000000612B000.00000004.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cnrh#1002021.exe, 00000000.00000003.235268592.0000000006132000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.goodfont.co.kr#1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.com#1002021.exe, 00000000.00000003.236527692.000000000612F000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000003.236825430.000000000612F000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comexcyx#1002021.exe, 00000000.00000003.236825430.000000000612F000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.carterandcone.com.#1002021.exe, 00000000.00000003.236527692.000000000612F000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comypo#1002021.exe, 00000000.00000003.236993027.000000000612F000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.sajatypeworks.com#1002021.exe, 00000000.00000003.231945776.0000000006112000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comB#1002021.exe, 00000000.00000003.236050979.000000000612F000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.typography.netD#1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersh#1002021.exe, 00000000.00000003.240592424.000000000612B000.00000004.00000001.sdmpfalse
                                		high
                                http://www.founder.com.cn/cn/cThe#1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htm#1002021.exe, 00000000.00000003.244015705.000000000612B000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000003.243832328.000000000612B000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.com#1002021.exe, 00000000.00000003.233010054.000000000612B000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnk#1002021.exe, 00000000.00000003.234673870.000000000612B000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.comgreta#1002021.exe, 00000000.00000002.259657704.00000000018D7000.00000004.00000040.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.carterandcone.comEac#1002021.exe, 00000000.00000003.236345460.000000000612F000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.carterandcone.comroagx#1002021.exe, 00000000.00000003.236050979.000000000612F000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designersb#1002021.exe, 00000000.00000003.241760287.000000000612B000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.galapagosdesign.com/DPlease#1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.ascendercorp.com/typedesigners.html#1002021.exe, 00000000.00000003.238160871.0000000006132000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000003.237834875.0000000006133000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fonts.com#1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cnosoxk#1002021.exe, 00000000.00000003.234746931.000000000612B000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.sandoll.co.kr#1002021.exe, 00000000.00000003.234231804.000000000612B000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sajatypeworks.coma#1002021.exe, 00000000.00000003.231945776.0000000006112000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sandoll.co.krF#1002021.exe, 00000000.00000003.234231804.000000000612B000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.urwpp.deDPlease#1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sandoll.co.krtp#1002021.exe, 00000000.00000003.234356458.000000000612B000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.urwpp.de#1002021.exe, 00000000.00000003.239769294.000000000612B000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000003.242060423.000000000612B000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000003.241903401.0000000006137000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cn#1002021.exe, 00000000.00000003.235727969.000000000612F000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.como.#1002021.exe, 00000000.00000003.236258079.000000000612F000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sakkal.com#1002021.exe, 00000000.00000003.237834875.0000000006133000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.comig#1002021.exe, 00000000.00000003.236345460.000000000612F000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip#1002021.exe, 00000000.00000002.260493550.0000000004229000.00000004.00000001.sdmp, #1002021.exe, 00000002.00000002.497062143.0000000000402000.00000040.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.defl#1002021.exe, 00000000.00000003.239769294.000000000612B000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.carterandcone.coma#1002021.exe, 00000000.00000003.236527692.000000000612F000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.tiro.comz#1002021.exe, 00000000.00000003.235341381.00000000018DC000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.apache.org/licenses/LICENSE-2.0#1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.com#1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpfalse
                                        		high
                                        http://DynDns.comDynDNS#1002021.exe, 00000002.00000002.507026512.0000000002B41000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/cabarga.htmll#1002021.exe, 00000000.00000003.241434699.000000000614E000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.carterandcone.come#1002021.exe, 00000000.00000003.236527692.000000000612F000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.comd#1002021.exe, 00000000.00000003.236825430.000000000612F000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.comct#1002021.exe, 00000000.00000003.236345460.000000000612F000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.tiro.comslnt#1002021.exe, 00000000.00000003.236993027.000000000612F000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha#1002021.exe, 00000002.00000002.507026512.0000000002B41000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnw#1002021.exe, 00000000.00000003.235656212.000000000612F000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.founder.com.cn/cn/:oS#1002021.exe, 00000000.00000003.234887417.0000000006132000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.sandoll.co.krm#1002021.exe, 00000000.00000003.234356458.000000000612B000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.urwpp.deFyYl#1002021.exe, 00000000.00000003.241903401.0000000006137000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.carterandcone.coms#1002021.exe, 00000000.00000003.236136279.000000000612F000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cnhk#1002021.exe, 00000000.00000003.234673870.000000000612B000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.goodfont.co.krkrF#1002021.exe, 00000000.00000003.234356458.000000000612B000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://en.w#1002021.exe, 00000000.00000003.233272249.000000000612B000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.coml#1002021.exe, 00000000.00000003.236050979.000000000612F000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cn/#1002021.exe, 00000000.00000003.235151202.0000000006132000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlN#1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cn#1002021.exe, 00000000.00000003.235268592.0000000006132000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000003.234746931.000000000612B000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/frere-jones.html#1002021.exe, 00000000.00000003.241066365.000000000614E000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000003.241155918.000000000612B000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.carterandcone.comhly#1002021.exe, 00000000.00000003.236825430.000000000612F000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.zhongyicts.com.cna#1002021.exe, 00000000.00000003.235656212.000000000612F000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/cabarga.htmlP#1002021.exe, 00000000.00000003.241881177.000000000614E000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.zhongyicts.com.cnsofD#1002021.exe, 00000000.00000003.235656212.000000000612F000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.monotype./#1002021.exe, 00000000.00000003.244015705.000000000612B000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.monotype.#1002021.exe, 00000000.00000003.239769294.000000000612B000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.carterandcone.comadiIo#1002021.exe, 00000000.00000003.236825430.000000000612F000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.urwpp.det#1002021.exe, 00000000.00000003.239667019.000000000612B000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/#1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.carterandcone.comona#1002021.exe, 00000000.00000003.236345460.000000000612F000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://fontfabrik.com(s#1002021.exe, 00000000.00000003.232991542.000000000612B000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		low
                                                http://www.fontbureau.com/designers8#1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://BtAllR.com#1002021.exe, 00000002.00000002.507026512.0000000002B41000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://mail.yillyenterprise.com#1002021.exe, 00000002.00000002.509235147.0000000002DF0000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.carterandcone.comncy#1002021.exe, 00000000.00000003.236050979.000000000612F000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/#1002021.exe, 00000000.00000003.240149325.000000000612B000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://yillyenterprise.com#1002021.exe, 00000002.00000002.509235147.0000000002DF0000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.founder.com.cn/cnnie#1002021.exe, 00000000.00000003.235268592.0000000006132000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown

                                                    Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    103.6.198.237
                                                    		yillyenterprise.comMalaysia
                                                    		46015EXABYTES-AS-APExaBytesNetworkSdnBhdMYtrue

                                                    General Information

                                                    Joe Sandbox Version:31.0.0 Emerald
                                                    Analysis ID:383981
                                                    Start date:08.04.2021
                                                    Start time:13:33:12
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 8m 15s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Sample file name:#1002021.exe
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                    Number of analysed new started processes analysed:14
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@3/2@2/1
                                                    EGA Information:Failed
                                                    HDC Information:
                                                    • Successful, ratio: 0% (good quality ratio 0%)
                                                    • Quality average: 51%
                                                    • Quality standard deviation: 0%
                                                    HCA Information:
                                                    • Successful, ratio: 99%
                                                    • Number of executed functions: 47
                                                    • Number of non-executed functions: 17
                                                    Cookbook Comments:
                                                    • Adjust boot time
                                                    • Enable AMSI
                                                    • Found application associated with file extension: .exe
                                                    Warnings:
                                                    Show All
                                                    • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                    • Excluded IPs from analysis (whitelisted): 13.88.21.125, 104.43.193.48, 95.100.54.203, 52.255.188.83, 40.88.32.150, 205.185.216.10, 205.185.216.42
                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus15.cloudapp.net, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus15.cloudapp.net, au-bg-shim.trafficmanager.net
                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    13:34:12API Interceptor689x Sleep call for process: #1002021.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    103.6.198.237#100028153.exeGet hashmaliciousBrowse
                                                      #ENQ67548820.exeGet hashmaliciousBrowse
                                                        _0000628.EXEGet hashmaliciousBrowse
                                                          RFQ#100027386.exeGet hashmaliciousBrowse

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                            ASN

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            EXABYTES-AS-APExaBytesNetworkSdnBhdMYPO AA21C04U3101-MTXGA6_PDF.exeGet hashmaliciousBrowse
                                                            • 137.59.110.57
                                                            #100028153.exeGet hashmaliciousBrowse
                                                            • 103.6.198.237
                                                            #ENQ67548820.exeGet hashmaliciousBrowse
                                                            • 103.6.198.237
                                                            PO AA21C04U3101-MTXGA6_PDF.exeGet hashmaliciousBrowse
                                                            • 137.59.110.57
                                                            New Order 1-4-2021_PDF.exeGet hashmaliciousBrowse
                                                            • 137.59.110.57
                                                            New Order 1-4-2021_PDF.exeGet hashmaliciousBrowse
                                                            • 137.59.110.57
                                                            TaTYytHaBk.exeGet hashmaliciousBrowse
                                                            • 110.4.47.139
                                                            _0000628.EXEGet hashmaliciousBrowse
                                                            • 103.6.198.237
                                                            confirm bank account details pdf.exeGet hashmaliciousBrowse
                                                            • 103.6.198.37
                                                            RFQ#100027386.exeGet hashmaliciousBrowse
                                                            • 103.6.198.237
                                                            SWIFT COPY.png.exeGet hashmaliciousBrowse
                                                            • 103.6.196.156
                                                            PAYMENT CONFIRMATION.exeGet hashmaliciousBrowse
                                                            • 103.6.196.156
                                                            bank slip 10 285 USD..exeGet hashmaliciousBrowse
                                                            • 103.6.198.37
                                                            1 Total New Invoices_Wendesday March 10_2021.xlsmGet hashmaliciousBrowse
                                                            • 137.59.109.40
                                                            Request Quotation.exeGet hashmaliciousBrowse
                                                            • 103.6.198.37
                                                            change certificate.exeGet hashmaliciousBrowse
                                                            • 103.6.196.156
                                                            Products Lists.exeGet hashmaliciousBrowse
                                                            • 103.6.196.156
                                                            payment and Bank confirm.exeGet hashmaliciousBrowse
                                                            • 103.6.198.37
                                                            Scanned Copy.exeGet hashmaliciousBrowse
                                                            • 103.6.196.156
                                                            Scanned Copy.exeGet hashmaliciousBrowse
                                                            • 103.6.196.156

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#1002021.exe.log
                                                            Process:C:\Users\user\Desktop\#1002021.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1216
                                                            Entropy (8bit):5.355304211458859
                                                            Encrypted:false
                                                            SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                            MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                            SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                            SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                            SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                            Malicious:true
                                                            Reputation:high, very likely benign file
                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                            C:\Users\user\AppData\Roaming\jvbxs1bu.tzq\Chrome\Default\Cookies
                                                            Process:C:\Users\user\Desktop\#1002021.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                            Category:dropped
                                                            Size (bytes):20480
                                                            Entropy (8bit):0.6969296358976265
                                                            Encrypted:false
                                                            SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBo2+tYeF+X:T5LLOpEO5J/Kn7U1uBo2UYeQ
                                                            MD5:A9DBC7B8E523ABE3B02D77DBF2FCD645
                                                            SHA1:DF5EE16ECF4B3B02E312F935AE81D4C5D2E91CA8
                                                            SHA-256:39B4E45A062DEA6F541C18FA1A15C5C0DB43A59673A26E2EB5B8A4345EE767AE
                                                            SHA-512:3CF87455263E395313E779D4F440D8405D86244E04B5F577BB9FA2F4A2069DE019D340F6B2F6EF420DEE3D3DEEFD4B58DA3FCA3BB802DE348E1A810D6379CC3B
                                                            Malicious:false
                                                            Reputation:moderate, very likely benign file
                                                            Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):7.85966850681175
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            • DOS Executable Generic (2002/1) 0.01%
                                                            File name:#1002021.exe
                                                            File size:812032
                                                            MD5:6208b6541936333f498204d1ec7234db
                                                            SHA1:62a31f0f710ce7af593ff6ce28d22b8fe1ca8097
                                                            SHA256:c1f2ef3f7a994adba520b81e95a6c792a263d574247d66b7d1e3edce99a4910d
                                                            SHA512:e4096f7151f1b2d8334fce72171cc2d15ad6db7f2dd073d969d376e4e1afc7d32e4f058fc4cc92dd0ccad48a0494f37526ed62139b21b2e0517c26e8c2ca2a1e
                                                            SSDEEP:24576:QWqx8H2Lu1CzjFYERRLdRJEO0Kb5e5Z1dPoOv1xJNESy:iiaiER1dl0KOZ1FoOv1xzty
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....n`..............0..:...(.......Y... ...`....@.. ....................................@................................

                                                            File Icon

                                                            Icon Hash:12b2b2f069f0d6a8

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x4b5992
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                            Time Stamp:0x606EA71C [Thu Apr 8 06:47:56 2021 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:v4.0.30319
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp dword ptr [00402000h]
                                                            mov dword ptr [eax+4Eh], edx
                                                            inc edi
                                                            or eax, 000A1A0Ah
                                                            add byte ptr [eax], al
                                                            add byte ptr [ecx+45h], cl
                                                            dec esi
                                                            inc esp
                                                            scasb
                                                            inc edx
                                                            pushad
                                                            add byte ptr [eax], 00000000h
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb59400x4f.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xb60000x124fc.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xca0000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000xb39b00xb3a00False0.905251011221data7.89650748238IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                            .rsrc0xb60000x124fc0x12600False0.824776785714data7.32099896967IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0xca0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountry
                                                            RT_ICON0xb62200x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
                                                            RT_ICON0xb6ac80x568GLS_BINARY_LSB_FIRST
                                                            RT_ICON0xb70300xd49ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                            RT_ICON0xc44d00x25a8data
                                                            RT_ICON0xc6a780x10a8data
                                                            RT_ICON0xc7b200x468GLS_BINARY_LSB_FIRST
                                                            RT_GROUP_ICON0xc7f880x5adata
                                                            RT_VERSION0xc7fe40x32cdata
                                                            RT_MANIFEST0xc83100x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                            Imports

                                                            DLLImport
                                                            mscoree.dll_CorExeMain

                                                            Version Infos

                                                            DescriptionData
                                                            Translation0x0000 0x04b0
                                                            LegalCopyrightCopyright 2018 - 2021
                                                            Assembly Version3.1.0.5
                                                            InternalNameH.exe
                                                            FileVersion3.1.0.5
                                                            CompanyName
                                                            LegalTrademarks
                                                            Comments
                                                            ProductNameImage Manager
                                                            ProductVersion3.1.0.5
                                                            FileDescriptionImage Manager
                                                            OriginalFilenameH.exe

                                                            Network Behavior

                                                            Snort IDS Alerts

                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                            04/08/21-13:36:02.138163TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49705587192.168.2.7103.6.198.237
                                                            04/08/21-13:36:08.550492TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49706587192.168.2.7103.6.198.237

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Apr 8, 2021 13:36:00.308623075 CEST49705587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:00.466739893 CEST58749705103.6.198.237192.168.2.7
                                                            Apr 8, 2021 13:36:00.467614889 CEST49705587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:01.137983084 CEST58749705103.6.198.237192.168.2.7
                                                            Apr 8, 2021 13:36:01.138521910 CEST49705587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:01.296506882 CEST58749705103.6.198.237192.168.2.7
                                                            Apr 8, 2021 13:36:01.299990892 CEST49705587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:01.459542036 CEST58749705103.6.198.237192.168.2.7
                                                            Apr 8, 2021 13:36:01.460814953 CEST49705587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:01.651850939 CEST58749705103.6.198.237192.168.2.7
                                                            Apr 8, 2021 13:36:01.652968884 CEST49705587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:01.812494993 CEST58749705103.6.198.237192.168.2.7
                                                            Apr 8, 2021 13:36:01.813287020 CEST49705587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:01.974700928 CEST58749705103.6.198.237192.168.2.7
                                                            Apr 8, 2021 13:36:01.975182056 CEST49705587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:02.133290052 CEST58749705103.6.198.237192.168.2.7
                                                            Apr 8, 2021 13:36:02.133307934 CEST58749705103.6.198.237192.168.2.7
                                                            Apr 8, 2021 13:36:02.138163090 CEST49705587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:02.138336897 CEST49705587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:02.138469934 CEST49705587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:02.138586998 CEST49705587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:02.296458960 CEST58749705103.6.198.237192.168.2.7
                                                            Apr 8, 2021 13:36:02.296482086 CEST58749705103.6.198.237192.168.2.7
                                                            Apr 8, 2021 13:36:05.547955036 CEST58749705103.6.198.237192.168.2.7
                                                            Apr 8, 2021 13:36:05.590473890 CEST49705587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:06.851862907 CEST49705587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:07.012679100 CEST58749705103.6.198.237192.168.2.7
                                                            Apr 8, 2021 13:36:07.012996912 CEST49705587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:07.014355898 CEST49705587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:07.014781952 CEST49706587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:07.171219110 CEST58749706103.6.198.237192.168.2.7
                                                            Apr 8, 2021 13:36:07.171348095 CEST49706587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:07.172239065 CEST58749705103.6.198.237192.168.2.7
                                                            Apr 8, 2021 13:36:07.487416029 CEST58749706103.6.198.237192.168.2.7
                                                            Apr 8, 2021 13:36:07.487638950 CEST49706587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:07.644337893 CEST58749706103.6.198.237192.168.2.7
                                                            Apr 8, 2021 13:36:07.644555092 CEST49706587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:07.800918102 CEST58749706103.6.198.237192.168.2.7
                                                            Apr 8, 2021 13:36:07.801172018 CEST49706587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:07.978279114 CEST58749706103.6.198.237192.168.2.7
                                                            Apr 8, 2021 13:36:08.027883053 CEST49706587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:08.071701050 CEST49706587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:08.233066082 CEST58749706103.6.198.237192.168.2.7
                                                            Apr 8, 2021 13:36:08.233257055 CEST49706587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:08.390316010 CEST58749706103.6.198.237192.168.2.7
                                                            Apr 8, 2021 13:36:08.390476942 CEST49706587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:08.548403025 CEST58749706103.6.198.237192.168.2.7
                                                            Apr 8, 2021 13:36:08.548432112 CEST58749706103.6.198.237192.168.2.7
                                                            Apr 8, 2021 13:36:08.550410986 CEST49706587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:08.550492048 CEST49706587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:08.550518990 CEST49706587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:08.550554037 CEST49706587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:08.550637007 CEST49706587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:08.550657034 CEST49706587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:08.550661087 CEST49706587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:08.550676107 CEST49706587192.168.2.7103.6.198.237
                                                            Apr 8, 2021 13:36:08.706649065 CEST58749706103.6.198.237192.168.2.7
                                                            Apr 8, 2021 13:36:08.706670046 CEST58749706103.6.198.237192.168.2.7
                                                            Apr 8, 2021 13:36:08.706681967 CEST58749706103.6.198.237192.168.2.7
                                                            Apr 8, 2021 13:36:11.958472013 CEST58749706103.6.198.237192.168.2.7
                                                            Apr 8, 2021 13:36:12.013428926 CEST49706587192.168.2.7103.6.198.237

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Apr 8, 2021 13:34:19.735174894 CEST6195253192.168.2.78.8.8.8
                                                            Apr 8, 2021 13:34:19.752474070 CEST53619528.8.8.8192.168.2.7
                                                            Apr 8, 2021 13:34:20.758141994 CEST5621753192.168.2.78.8.8.8
                                                            Apr 8, 2021 13:34:20.770637989 CEST53562178.8.8.8192.168.2.7
                                                            Apr 8, 2021 13:34:21.843661070 CEST6335453192.168.2.78.8.8.8
                                                            Apr 8, 2021 13:34:21.862265110 CEST53633548.8.8.8192.168.2.7
                                                            Apr 8, 2021 13:34:22.156939983 CEST5312953192.168.2.78.8.8.8
                                                            Apr 8, 2021 13:34:22.170968056 CEST53531298.8.8.8192.168.2.7
                                                            Apr 8, 2021 13:34:22.935903072 CEST6245253192.168.2.78.8.8.8
                                                            Apr 8, 2021 13:34:22.948343039 CEST53624528.8.8.8192.168.2.7
                                                            Apr 8, 2021 13:34:24.252343893 CEST5782053192.168.2.78.8.8.8
                                                            Apr 8, 2021 13:34:24.264970064 CEST53578208.8.8.8192.168.2.7
                                                            Apr 8, 2021 13:34:25.264617920 CEST5084853192.168.2.78.8.8.8
                                                            Apr 8, 2021 13:34:25.277242899 CEST53508488.8.8.8192.168.2.7
                                                            Apr 8, 2021 13:34:26.485866070 CEST6124253192.168.2.78.8.8.8
                                                            Apr 8, 2021 13:34:26.497875929 CEST53612428.8.8.8192.168.2.7
                                                            Apr 8, 2021 13:34:27.884309053 CEST5856253192.168.2.78.8.8.8
                                                            Apr 8, 2021 13:34:27.896723032 CEST53585628.8.8.8192.168.2.7
                                                            Apr 8, 2021 13:34:28.616936922 CEST5659053192.168.2.78.8.8.8
                                                            Apr 8, 2021 13:34:28.629602909 CEST53565908.8.8.8192.168.2.7
                                                            Apr 8, 2021 13:34:30.039819956 CEST6050153192.168.2.78.8.8.8
                                                            Apr 8, 2021 13:34:30.053356886 CEST53605018.8.8.8192.168.2.7
                                                            Apr 8, 2021 13:34:30.991672993 CEST5377553192.168.2.78.8.8.8
                                                            Apr 8, 2021 13:34:31.004616976 CEST53537758.8.8.8192.168.2.7
                                                            Apr 8, 2021 13:34:31.773818970 CEST5183753192.168.2.78.8.8.8
                                                            Apr 8, 2021 13:34:31.786288023 CEST53518378.8.8.8192.168.2.7
                                                            Apr 8, 2021 13:34:32.758627892 CEST5541153192.168.2.78.8.8.8
                                                            Apr 8, 2021 13:34:32.771891117 CEST53554118.8.8.8192.168.2.7
                                                            Apr 8, 2021 13:34:33.777765036 CEST6366853192.168.2.78.8.8.8
                                                            Apr 8, 2021 13:34:33.790277004 CEST53636688.8.8.8192.168.2.7
                                                            Apr 8, 2021 13:34:34.611301899 CEST5464053192.168.2.78.8.8.8
                                                            Apr 8, 2021 13:34:34.623920918 CEST53546408.8.8.8192.168.2.7
                                                            Apr 8, 2021 13:34:35.923217058 CEST5873953192.168.2.78.8.8.8
                                                            Apr 8, 2021 13:34:35.935611963 CEST53587398.8.8.8192.168.2.7
                                                            Apr 8, 2021 13:34:37.182908058 CEST6033853192.168.2.78.8.8.8
                                                            Apr 8, 2021 13:34:37.196460009 CEST53603388.8.8.8192.168.2.7
                                                            Apr 8, 2021 13:34:37.874840021 CEST5871753192.168.2.78.8.8.8
                                                            Apr 8, 2021 13:34:37.888325930 CEST53587178.8.8.8192.168.2.7
                                                            Apr 8, 2021 13:34:38.735637903 CEST5976253192.168.2.78.8.8.8
                                                            Apr 8, 2021 13:34:38.749036074 CEST53597628.8.8.8192.168.2.7
                                                            Apr 8, 2021 13:34:49.110804081 CEST5432953192.168.2.78.8.8.8
                                                            Apr 8, 2021 13:34:49.123847008 CEST53543298.8.8.8192.168.2.7
                                                            Apr 8, 2021 13:35:59.881308079 CEST5805253192.168.2.78.8.8.8
                                                            Apr 8, 2021 13:36:00.025511980 CEST53580528.8.8.8192.168.2.7
                                                            Apr 8, 2021 13:36:00.043958902 CEST5400853192.168.2.78.8.8.8
                                                            Apr 8, 2021 13:36:00.180869102 CEST53540088.8.8.8192.168.2.7

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                            Apr 8, 2021 13:35:59.881308079 CEST192.168.2.78.8.8.80x561Standard query (0)mail.yillyenterprise.comA (IP address)IN (0x0001)
                                                            Apr 8, 2021 13:36:00.043958902 CEST192.168.2.78.8.8.80x294cStandard query (0)mail.yillyenterprise.comA (IP address)IN (0x0001)

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                            Apr 8, 2021 13:36:00.025511980 CEST8.8.8.8192.168.2.70x561No error (0)mail.yillyenterprise.comyillyenterprise.comCNAME (Canonical name)IN (0x0001)
                                                            Apr 8, 2021 13:36:00.025511980 CEST8.8.8.8192.168.2.70x561No error (0)yillyenterprise.com103.6.198.237A (IP address)IN (0x0001)
                                                            Apr 8, 2021 13:36:00.180869102 CEST8.8.8.8192.168.2.70x294cNo error (0)mail.yillyenterprise.comyillyenterprise.comCNAME (Canonical name)IN (0x0001)
                                                            Apr 8, 2021 13:36:00.180869102 CEST8.8.8.8192.168.2.70x294cNo error (0)yillyenterprise.com103.6.198.237A (IP address)IN (0x0001)

                                                            SMTP Packets

                                                            TimestampSource PortDest PortSource IPDest IPCommands
                                                            Apr 8, 2021 13:36:01.137983084 CEST58749705103.6.198.237192.168.2.7220-naan.mschosting.com ESMTP Exim 4.94 #2 Thu, 08 Apr 2021 19:36:00 +0800
                                                            220-We do not authorize the use of this system to transport unsolicited,
                                                            220 and/or bulk e-mail.
                                                            Apr 8, 2021 13:36:01.138521910 CEST49705587192.168.2.7103.6.198.237EHLO 562258
                                                            Apr 8, 2021 13:36:01.296506882 CEST58749705103.6.198.237192.168.2.7250-naan.mschosting.com Hello 562258 [185.32.222.8]
                                                            250-SIZE 52428800
                                                            250-8BITMIME
                                                            250-PIPELINING
                                                            250-X_PIPE_CONNECT
                                                            250-AUTH PLAIN LOGIN
                                                            250-STARTTLS
                                                            250 HELP
                                                            Apr 8, 2021 13:36:01.299990892 CEST49705587192.168.2.7103.6.198.237AUTH login ZWt3ZUB5aWxseWVudGVycHJpc2UuY29t
                                                            Apr 8, 2021 13:36:01.459542036 CEST58749705103.6.198.237192.168.2.7334 UGFzc3dvcmQ6
                                                            Apr 8, 2021 13:36:01.651850939 CEST58749705103.6.198.237192.168.2.7235 Authentication succeeded
                                                            Apr 8, 2021 13:36:01.652968884 CEST49705587192.168.2.7103.6.198.237MAIL FROM:<ekwe@yillyenterprise.com>
                                                            Apr 8, 2021 13:36:01.812494993 CEST58749705103.6.198.237192.168.2.7250 OK
                                                            Apr 8, 2021 13:36:01.813287020 CEST49705587192.168.2.7103.6.198.237RCPT TO:<ekwe@yillyenterprise.com>
                                                            Apr 8, 2021 13:36:01.974700928 CEST58749705103.6.198.237192.168.2.7250 Accepted
                                                            Apr 8, 2021 13:36:01.975182056 CEST49705587192.168.2.7103.6.198.237DATA
                                                            Apr 8, 2021 13:36:02.133307934 CEST58749705103.6.198.237192.168.2.7354 Enter message, ending with "." on a line by itself
                                                            Apr 8, 2021 13:36:02.138586998 CEST49705587192.168.2.7103.6.198.237.
                                                            Apr 8, 2021 13:36:05.547955036 CEST58749705103.6.198.237192.168.2.7250 OK id=1lUSx7-0001j3-7A
                                                            Apr 8, 2021 13:36:06.851862907 CEST49705587192.168.2.7103.6.198.237QUIT
                                                            Apr 8, 2021 13:36:07.012679100 CEST58749705103.6.198.237192.168.2.7221 naan.mschosting.com closing connection
                                                            Apr 8, 2021 13:36:07.487416029 CEST58749706103.6.198.237192.168.2.7220-naan.mschosting.com ESMTP Exim 4.94 #2 Thu, 08 Apr 2021 19:36:06 +0800
                                                            220-We do not authorize the use of this system to transport unsolicited,
                                                            220 and/or bulk e-mail.
                                                            Apr 8, 2021 13:36:07.487638950 CEST49706587192.168.2.7103.6.198.237EHLO 562258
                                                            Apr 8, 2021 13:36:07.644337893 CEST58749706103.6.198.237192.168.2.7250-naan.mschosting.com Hello 562258 [185.32.222.8]
                                                            250-SIZE 52428800
                                                            250-8BITMIME
                                                            250-PIPELINING
                                                            250-X_PIPE_CONNECT
                                                            250-AUTH PLAIN LOGIN
                                                            250-STARTTLS
                                                            250 HELP
                                                            Apr 8, 2021 13:36:07.644555092 CEST49706587192.168.2.7103.6.198.237AUTH login ZWt3ZUB5aWxseWVudGVycHJpc2UuY29t
                                                            Apr 8, 2021 13:36:07.800918102 CEST58749706103.6.198.237192.168.2.7334 UGFzc3dvcmQ6
                                                            Apr 8, 2021 13:36:07.978279114 CEST58749706103.6.198.237192.168.2.7235 Authentication succeeded
                                                            Apr 8, 2021 13:36:08.071701050 CEST49706587192.168.2.7103.6.198.237MAIL FROM:<ekwe@yillyenterprise.com>
                                                            Apr 8, 2021 13:36:08.233066082 CEST58749706103.6.198.237192.168.2.7250 OK
                                                            Apr 8, 2021 13:36:08.233257055 CEST49706587192.168.2.7103.6.198.237RCPT TO:<ekwe@yillyenterprise.com>
                                                            Apr 8, 2021 13:36:08.390316010 CEST58749706103.6.198.237192.168.2.7250 Accepted
                                                            Apr 8, 2021 13:36:08.390476942 CEST49706587192.168.2.7103.6.198.237DATA
                                                            Apr 8, 2021 13:36:08.548432112 CEST58749706103.6.198.237192.168.2.7354 Enter message, ending with "." on a line by itself
                                                            Apr 8, 2021 13:36:08.550676107 CEST49706587192.168.2.7103.6.198.237.
                                                            Apr 8, 2021 13:36:11.958472013 CEST58749706103.6.198.237192.168.2.7250 OK id=1lUSxD-0001lg-KU

                                                            Code Manipulations

                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            Analysis Process: #1002021.exe PID: 4612 Parent PID: 5680

                                                            General

                                                            Start time:13:34:01
                                                            Start date:08/04/2021
                                                            Path:C:\Users\user\Desktop\#1002021.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:'C:\Users\user\Desktop\#1002021.exe'
                                                            Imagebase:0xd70000
                                                            File size:812032 bytes
                                                            MD5 hash:6208B6541936333F498204D1EC7234DB
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Yara matches:
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.260493550.0000000004229000.00000004.00000001.sdmp, Author: Joe Security
                                                            Reputation:low

                                                            Chronological Activities

                                                            Analysis Process: #1002021.exe PID: 2672 Parent PID: 4612

                                                            General

                                                            Start time:13:34:14
                                                            Start date:08/04/2021
                                                            Path:C:\Users\user\Desktop\#1002021.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:{path}
                                                            Imagebase:0x790000
                                                            File size:812032 bytes
                                                            MD5 hash:6208B6541936333F498204D1EC7234DB
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Yara matches:
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.497062143.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.507026512.0000000002B41000.00000004.00000001.sdmp, Author: Joe Security
                                                            Reputation:low

                                                            Chronological Activities

                                                            Disassembly

                                                            Code Analysis

                                                            Reset < >

                                                              Analysis Process: #1002021.exe PID: 4612 Parent PID: 5680 #1002021.exeCOMMON

                                                              Executed Functions

                                                              Function 056A6668, Relevance: 23.1, Strings: 17, Instructions: 1826COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.267243529.00000000056A0000.00000040.00000001.sdmp, Offset: 056A0000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $%@l$$%@l$$%@l$$%@l$$%@l$$%@l$$%@l$$%@l$$%@l$$%@l$$%@l$$%@l$$%@l$$%@l$$%@l$$%@l$Xcrk
                                                              • API String ID: 0-3299150100
                                                              • Opcode ID: 3f2dfc62411855780fc8709bab58e2cb01fdd48dcded5c2a66f83aa02a6b3bab
                                                              • Instruction ID: 96c6730417def20afcd8ac5ce8b2243bd954d738a81b523dd8d0f86b4f195f8f
                                                              • Opcode Fuzzy Hash: 3f2dfc62411855780fc8709bab58e2cb01fdd48dcded5c2a66f83aa02a6b3bab
                                                              • Instruction Fuzzy Hash: 3913AA34A01259CFCB24DB64C898ADDB7B5FF8A304F5581EAD8096B361DB31AE85CF44
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 056A6688, Relevance: 23.1, Strings: 17, Instructions: 1820COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.267243529.00000000056A0000.00000040.00000001.sdmp, Offset: 056A0000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $%@l$$%@l$$%@l$$%@l$$%@l$$%@l$$%@l$$%@l$$%@l$$%@l$$%@l$$%@l$$%@l$$%@l$$%@l$$%@l$Xcrk
                                                              • API String ID: 0-3299150100
                                                              • Opcode ID: 5de589eb05c4383ad82fa32567189759904a356d54f117e618e744d9a7441bee
                                                              • Instruction ID: fdbac8d3b595a0e9aa913768870d8c013c8d89e15647eeda4db2b85b2342994a
                                                              • Opcode Fuzzy Hash: 5de589eb05c4383ad82fa32567189759904a356d54f117e618e744d9a7441bee
                                                              • Instruction Fuzzy Hash: 8113AA34A01259CFCB24DB64C898ADDB7B5FF8A304F5581EAD8096B361DB31AE85CF44
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01851F48, Relevance: 1.5, Strings: 1, Instructions: 252COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID: kt"<
                                                              • API String ID: 0-373708085
                                                              • Opcode ID: 0925770f110c70662e9455ffc0b199954e1a71e00d1eaae4fa453b460845d174
                                                              • Instruction ID: 60248f7fa564d338a39c519132ecee088d0b95741490a633f628a457b1ebb3a1
                                                              • Opcode Fuzzy Hash: 0925770f110c70662e9455ffc0b199954e1a71e00d1eaae4fa453b460845d174
                                                              • Instruction Fuzzy Hash: 03A12674E05219CBCB54CFA9C58469EFBF2FF89314F24C129D809EB255EB349A42CB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01851F39, Relevance: 1.5, Strings: 1, Instructions: 249COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID: kt"<
                                                              • API String ID: 0-373708085
                                                              • Opcode ID: 40ef996e499d2af31dadffce53cefdcd8fc81902e26532423a39803a1df4b7f5
                                                              • Instruction ID: 9a6cd620c970b25bdb8e2302333d116d8f48cec726cf33a217da4ff728ebb431
                                                              • Opcode Fuzzy Hash: 40ef996e499d2af31dadffce53cefdcd8fc81902e26532423a39803a1df4b7f5
                                                              • Instruction Fuzzy Hash: D5A13574E052198FCB54CFA9C58459EFBF2FF88314F24C12AD805EB259DB349A42CB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01855020, Relevance: 1.4, Strings: 1, Instructions: 174COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Z*&
                                                              • API String ID: 0-1423835356
                                                              • Opcode ID: 9e9e3b2cc8b36ca3a401e054d74b85b39654705799912033a58f3dd413a8cb16
                                                              • Instruction ID: 3a7a5c4b232134dacefadc5f9fcb325c7b7658718f7c755f207442f3f3f2f2b0
                                                              • Opcode Fuzzy Hash: 9e9e3b2cc8b36ca3a401e054d74b85b39654705799912033a58f3dd413a8cb16
                                                              • Instruction Fuzzy Hash: 32615774E1620CDECB48CFE5D5806DEFBF2EB88314F20A42AE406F7258D7349A468B14
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01855030, Relevance: 1.4, Strings: 1, Instructions: 174COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Z*&
                                                              • API String ID: 0-1423835356
                                                              • Opcode ID: d3439f857766130f9ae3364b1c7e617c00b41e31695a6374aa13f88ab837fe68
                                                              • Instruction ID: df4a0b330eaaff072c4d1bcfa5f268c277c8fc11e36e5786104d90bbb7f75500
                                                              • Opcode Fuzzy Hash: d3439f857766130f9ae3364b1c7e617c00b41e31695a6374aa13f88ab837fe68
                                                              • Instruction Fuzzy Hash: AA615870D1A20CDECB48CFA5D5806DEFBB2EB89314F20942AE805F7254D7349A46CB54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 056A0128, Relevance: .2, Instructions: 229COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.267243529.00000000056A0000.00000040.00000001.sdmp, Offset: 056A0000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0a079344d0fa23984a19e7a2564d74f7b783410d86243656fb5da6efaac3dd4d
                                                              • Instruction ID: 47db05e2977cfb0b1d3409ff07db45ba989f717f060c5141e0eb3d23ad3fbb85
                                                              • Opcode Fuzzy Hash: 0a079344d0fa23984a19e7a2564d74f7b783410d86243656fb5da6efaac3dd4d
                                                              • Instruction Fuzzy Hash: 44916F35E003198FCB04DBA0D8549EDBBBAFF99314F158215E506AF7A4EB70A945CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 056A011A, Relevance: .2, Instructions: 197COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.267243529.00000000056A0000.00000040.00000001.sdmp, Offset: 056A0000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9727c900d17d2595518b4caaa33153eaff35e2ee2783824d727cec6dea020406
                                                              • Instruction ID: c235c98a885cc754ae20d6b6302fb12adba7320cde4746bf69aea31d9b8a452d
                                                              • Opcode Fuzzy Hash: 9727c900d17d2595518b4caaa33153eaff35e2ee2783824d727cec6dea020406
                                                              • Instruction Fuzzy Hash: 3B814E35E003199FCB04DFE0D8548DDBBB6FF99314B158219E506AB7A4EB70A985CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 018552E0, Relevance: .2, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3179380846b36db6ca4002246d37d52e48c057869311d125e099cd7ee4943a07
                                                              • Instruction ID: 3a6adf9ed28f1e379229ac035c81fa52a0182f55c1c05b17ed7006fb7ee9dacf
                                                              • Opcode Fuzzy Hash: 3179380846b36db6ca4002246d37d52e48c057869311d125e099cd7ee4943a07
                                                              • Instruction Fuzzy Hash: 01612871E0521A8BDB68CF66C940BE9FBB2FF89300F1491AA950DA7254EB705A819F50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 018552D1, Relevance: .2, Instructions: 151COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a4c2b806b934bd61fc3c605213e74cc5aa63a4230bb309e84bd3b299fefb134e
                                                              • Instruction ID: 530984a96e604ff5b6f6a546ef49f7a98daad85a15d130e11c058d7e63448c09
                                                              • Opcode Fuzzy Hash: a4c2b806b934bd61fc3c605213e74cc5aa63a4230bb309e84bd3b299fefb134e
                                                              • Instruction Fuzzy Hash: 9E613A71E1121A8BDB68CF66C940BD9FBF2FFC9300F1481EA950CA7654EB705A858F40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01855572, Relevance: .1, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 903e6f80eca44a49edb7196dec7ee71e3f086cda1842f440a991c9ae989c13a0
                                                              • Instruction ID: 038152ecffe2f63771b76e27a590fd19e67181aea11b60163fbdb9adf7a1d496
                                                              • Opcode Fuzzy Hash: 903e6f80eca44a49edb7196dec7ee71e3f086cda1842f440a991c9ae989c13a0
                                                              • Instruction Fuzzy Hash: 96512670D1522ACBCB64CF65C940BE9FBB2FF89300F5096EA9509A7654E770AAC19F40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01855552, Relevance: .1, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a8093598a8e61d32a3e438b136adfdcd221bd7db7596c56a30727d5f91e5d9a6
                                                              • Instruction ID: f99b7c7f8b052019a466a0042c089c8460dc54f2511d3bb1b72e9ec05d12eb01
                                                              • Opcode Fuzzy Hash: a8093598a8e61d32a3e438b136adfdcd221bd7db7596c56a30727d5f91e5d9a6
                                                              • Instruction Fuzzy Hash: C1515A70E1521ACBCB64CF64C940BE9F7B2FF89300F1086EAD509A7654EB70AAC19F50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01855539, Relevance: .1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c04cdeaca6a2b1e6f17ab2ae67ad78590bc1898e129ea6e92aadb15e03b0dcf6
                                                              • Instruction ID: 3eb38ab2c8e72fa7a793cd8183b9f94fa725f58d9f2f72cae1476c7321b49df4
                                                              • Opcode Fuzzy Hash: c04cdeaca6a2b1e6f17ab2ae67ad78590bc1898e129ea6e92aadb15e03b0dcf6
                                                              • Instruction Fuzzy Hash: 26515D71E4521ACBCB64CF64C940BEDF7B2FF89300F5486E99509A7654EB70AAC19F40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01850040, Relevance: .1, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3cd26e959b65d2e96b5aa2141bcc89673e55ace949d4c070b539da2fe9851b70
                                                              • Instruction ID: 3836d75318f0cabc391e91b786943c72cf5c1cc3c9bf9340d11a635d0aed8a42
                                                              • Opcode Fuzzy Hash: 3cd26e959b65d2e96b5aa2141bcc89673e55ace949d4c070b539da2fe9851b70
                                                              • Instruction Fuzzy Hash: 6631A971E056189BEB58CFAAD84479EBBF3EFC9300F04C1BAD508A7254DB345A458F51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01856874, Relevance: 1.6, APIs: 1, Instructions: 148processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 018569D3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 69ff6738595a5d8ba0c407118d25c2c4d7ea9ba8493243286f89a84f98635b19
                                                              • Instruction ID: 5627aad6a77423724de23f66d4cef4ef23d9e43d2aaad4ccaba6bbc18f5434c3
                                                              • Opcode Fuzzy Hash: 69ff6738595a5d8ba0c407118d25c2c4d7ea9ba8493243286f89a84f98635b19
                                                              • Instruction Fuzzy Hash: 9C510771D00329DFDB54CF99D880BDDBBB2BF88314F15849AE948A7250DB745A88CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01856880, Relevance: 1.6, APIs: 1, Instructions: 143processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 018569D3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 3f9b001bc000cc30620d6dbc92142c4cdc9c6cfda2e7658c7ac7581889fe4db0
                                                              • Instruction ID: 2640f513833f6fbbd0991b06a6d95e3b41fda7f57b0020c4184bbef020ca5c08
                                                              • Opcode Fuzzy Hash: 3f9b001bc000cc30620d6dbc92142c4cdc9c6cfda2e7658c7ac7581889fe4db0
                                                              • Instruction Fuzzy Hash: 16511771D00329DFDB54CF99C880BDDBBB2BF88314F15849AE908A7250DB746A88CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 056A23E0, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 056A24A1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.267243529.00000000056A0000.00000040.00000001.sdmp, Offset: 056A0000, based on PE: false
                                                              Similarity
                                                              • API ID: CallProcWindow
                                                              • String ID:
                                                              • API String ID: 2714655100-0
                                                              • Opcode ID: 02bcdbf9107a3c99d1ded1b57647e337b6a3b94c69307f2fb88a95b3a6c95f71
                                                              • Instruction ID: 09685ca728181662f6491758627ad7935573c1fc0da662f52cd71f22f171f9db
                                                              • Opcode Fuzzy Hash: 02bcdbf9107a3c99d1ded1b57647e337b6a3b94c69307f2fb88a95b3a6c95f71
                                                              • Instruction Fuzzy Hash: BF4135B9A00305CFCB14CF99C888BAABBF5FB88314F25C559D519AB321D774A841CFA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 018574C2, Relevance: 1.6, APIs: 1, Instructions: 66injectionCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 01857555
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 5ac2b3e38576a17038f697c695b7891a34c59bc2f2026ccaac5afc4ff217f04a
                                                              • Instruction ID: 5f448eb62ed0dedcee7cf3344f1040734472b44fdd1bd48025d2aea353f60cd3
                                                              • Opcode Fuzzy Hash: 5ac2b3e38576a17038f697c695b7891a34c59bc2f2026ccaac5afc4ff217f04a
                                                              • Instruction Fuzzy Hash: 9C2127B1900259DFDB00CF9AD885BDEBBF4FB48314F40842AE918E3640D374A944CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 018574C8, Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 01857555
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 01f4ed2b2c2f5c1014a15f7b549704d12201106d9c8bba4877090e184a0c31cf
                                                              • Instruction ID: bb0b069b5fb4fe604cf0d40925ac324ada203690845a01987e2c92d2d1013038
                                                              • Opcode Fuzzy Hash: 01f4ed2b2c2f5c1014a15f7b549704d12201106d9c8bba4877090e184a0c31cf
                                                              • Instruction Fuzzy Hash: 4721E3B1900259DFDB14CF9AD885BDEBBF4FB48314F50842AE918E7240D774AA44CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01857348, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 018573CF
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: fb6895383085fc2eba3c3e1702275535279ee4573d755472e7ebf8b28e8c1c19
                                                              • Instruction ID: 6b763cf0fc713a4a7fc35dfbf5054208d67f8eff198193af15cb1f7bd14e4a4a
                                                              • Opcode Fuzzy Hash: fb6895383085fc2eba3c3e1702275535279ee4573d755472e7ebf8b28e8c1c19
                                                              • Instruction Fuzzy Hash: 972107B5900259DFCB10CF9AD984BDEBBF5FB48320F51842AE918A7250D374A945CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01857350, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 018573CF
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: 428b6ff88c4564544fe6b8ad6d9fc2c30f97093214bd789b4bd693aa097b7745
                                                              • Instruction ID: 1cf6b083b387853469681251308b3c354b13a72647b05ad64f2432a36d336c5c
                                                              • Opcode Fuzzy Hash: 428b6ff88c4564544fe6b8ad6d9fc2c30f97093214bd789b4bd693aa097b7745
                                                              • Instruction Fuzzy Hash: 9221E2B5900359DFCB10CF9AD884BDEBBF4FB48320F50842AE918A7250D374A944CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0185728A, Relevance: 1.6, APIs: 1, Instructions: 59threadinjectionCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetThreadContext.KERNELBASE(?,00000000), ref: 01857307
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID: ContextThread
                                                              • String ID:
                                                              • API String ID: 1591575202-0
                                                              • Opcode ID: 889e27d4d15c3486ddb4a5ba64ae85019336ed34c740f5f1112126aa24c1b5d4
                                                              • Instruction ID: c2106d5e9aea747fb4605e7407fd4419e118d6c168218e1989d43389f7b7327f
                                                              • Opcode Fuzzy Hash: 889e27d4d15c3486ddb4a5ba64ae85019336ed34c740f5f1112126aa24c1b5d4
                                                              • Instruction Fuzzy Hash: 172127B19006199FDB04CF9AC9857EEFBF4FB48324F55812AD818F3640E374A9458FA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01857290, Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetThreadContext.KERNELBASE(?,00000000), ref: 01857307
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID: ContextThread
                                                              • String ID:
                                                              • API String ID: 1591575202-0
                                                              • Opcode ID: 14fcba6b327e5f342c3a286df5c71ed3138c8ab08a506bfa6efd0e2c15ffc3f9
                                                              • Instruction ID: a7290d32f62c826483debdc8c0a8cf070b9628278ceb4bc117a112aafe5257bc
                                                              • Opcode Fuzzy Hash: 14fcba6b327e5f342c3a286df5c71ed3138c8ab08a506bfa6efd0e2c15ffc3f9
                                                              • Instruction Fuzzy Hash: 5A213871D006199FCB00CF9AC8857EEFBF4FB48324F40812AD818E3640D774A9448FA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01857418, Relevance: 1.6, APIs: 1, Instructions: 51memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0185748B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: c8a4bb3b0d7126ebb805aa86b71d3e585bbdc2106d4da5117ce58f1eeba861c4
                                                              • Instruction ID: b12fafa6d7c3a6f3d610d3e23086aa0d707e24b85ab3316bbf2e32662b63316c
                                                              • Opcode Fuzzy Hash: c8a4bb3b0d7126ebb805aa86b71d3e585bbdc2106d4da5117ce58f1eeba861c4
                                                              • Instruction Fuzzy Hash: AA113475904258CFCB10CF99D884BDEBFF4FB88324F10841AE928A7250D334A944CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01857420, Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0185748B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 7cbfb4bd0962296d83204ce5baa437b7eadc9a54c59061061054fa47e2885b77
                                                              • Instruction ID: 5cf22f0340d694be4ca4f7d4cad05a8d9724f25712b3eaaf9c941df150d6092b
                                                              • Opcode Fuzzy Hash: 7cbfb4bd0962296d83204ce5baa437b7eadc9a54c59061061054fa47e2885b77
                                                              • Instruction Fuzzy Hash: 9611F2B5904259DFCB10CF9AD884BDEBFF4FB88324F10841AE928A7250D375A944CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01858280, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,?,?,?), ref: 018582E5
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: e0d3cabd1234821dd1179c279f03c9088b6b6bb22ccef0f344bd988617301a0c
                                                              • Instruction ID: 4709a1d41e0c9e90f9c460f90a3af05f9b4739126bfa11b1fc26ba809a56873f
                                                              • Opcode Fuzzy Hash: e0d3cabd1234821dd1179c279f03c9088b6b6bb22ccef0f344bd988617301a0c
                                                              • Instruction Fuzzy Hash: 281106B5900249DFDB10CF9AD885BEEBFF4FB49324F10845AE915A7600D374A944CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01857678, Relevance: 1.5, APIs: 1, Instructions: 45threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: ee160fc709ab635a630361b62a48d0b066f54b82df495f2367cac10f7f112666
                                                              • Instruction ID: 27e641894acb31b60d02db89f0bb4c02c788fee8ee24ed0809a52830e0bd8d7e
                                                              • Opcode Fuzzy Hash: ee160fc709ab635a630361b62a48d0b066f54b82df495f2367cac10f7f112666
                                                              • Instruction Fuzzy Hash: 011145B1804249CFCB10CF9AC988BDEBBF4EB88324F15845AD919A7240D374A944CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 056A0070, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowLongW.USER32(?,?,?), ref: 056A00CD
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.267243529.00000000056A0000.00000040.00000001.sdmp, Offset: 056A0000, based on PE: false
                                                              Similarity
                                                              • API ID: LongWindow
                                                              • String ID:
                                                              • API String ID: 1378638983-0
                                                              • Opcode ID: bf9b4407460cf439758ae5a03a766c90d82c9033751c1124647eb4b8fe3fc86a
                                                              • Instruction ID: 52a34201c8d6eaf2aa309d66c818ec5fa2056bbaaa8306c225e7fb9e4102da05
                                                              • Opcode Fuzzy Hash: bf9b4407460cf439758ae5a03a766c90d82c9033751c1124647eb4b8fe3fc86a
                                                              • Instruction Fuzzy Hash: FE11E2B5904249DFDB10CF9AD888BEEBBF8FB88324F14851AD915A7740D374A944CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01858288, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,?,?,?), ref: 018582E5
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: 9de74b70de70e73a461cff597fc41c1a3192944708d216b275015afa2f5b3ea3
                                                              • Instruction ID: ca4a2db1e7c70031be4d388378de0fa77131341cfd6d6d7468cae76e46d1da4e
                                                              • Opcode Fuzzy Hash: 9de74b70de70e73a461cff597fc41c1a3192944708d216b275015afa2f5b3ea3
                                                              • Instruction Fuzzy Hash: 901103B58003499FDB10CF9AC884BEEBFF8FB48324F10841AD914A7600C374A944CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01857680, Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 7bbc3fa27a0fa22182e4565fd01e8572d50d3d0c84a70701f5351b6d99e24ebd
                                                              • Instruction ID: b46d57141af06af8070a5c4033e6d3144f765af232fa83c5f6a22151c9fad305
                                                              • Opcode Fuzzy Hash: 7bbc3fa27a0fa22182e4565fd01e8572d50d3d0c84a70701f5351b6d99e24ebd
                                                              • Instruction Fuzzy Hash: 7011F3B5904359CFCB10CF9AD888BDEFBF4EB88324F10845AD919A7640D774A944CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 056A0068, Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowLongW.USER32(?,?,?), ref: 056A00CD
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.267243529.00000000056A0000.00000040.00000001.sdmp, Offset: 056A0000, based on PE: false
                                                              Similarity
                                                              • API ID: LongWindow
                                                              • String ID:
                                                              • API String ID: 1378638983-0
                                                              • Opcode ID: 9fb8b27047ad374eb80f07c6924b0c7b989b5affd99c9d69a9d8c95e302ef58a
                                                              • Instruction ID: aac8bb20725997ac6c1066ac4162075f4321403fac7aacc29779b0ecb23a949c
                                                              • Opcode Fuzzy Hash: 9fb8b27047ad374eb80f07c6924b0c7b989b5affd99c9d69a9d8c95e302ef58a
                                                              • Instruction Fuzzy Hash: 6B1122B5904348CFDB00CF99D589BDEBBF4FB48324F10881AD404A7240C378A944CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0185770C, Relevance: 1.5, APIs: 1, Instructions: 31threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 19a68859ee626c1f9193b992978b86168e9497a518664d3f03b273b73862ee8e
                                                              • Instruction ID: f8fb9c196fe144e1f8e155defe2ad1cdc8908a2b5ab3f2a322612b202a2230fa
                                                              • Opcode Fuzzy Hash: 19a68859ee626c1f9193b992978b86168e9497a518664d3f03b273b73862ee8e
                                                              • Instruction Fuzzy Hash: 2DF0F0B2808384CFDB108BADD8493E9BFF0EB51314F54C48ACA45EB191D3796249CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Non-executed Functions

                                                              Function 01852410, Relevance: 4.1, Strings: 3, Instructions: 337COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 3"Zj$3leY$D0Dl
                                                              • API String ID: 0-1091915455
                                                              • Opcode ID: 2378b526618664f6b8a111eadb5d993e7b33a053a0a7c11c594e7a37b4b0e35c
                                                              • Instruction ID: a318e97674d97171dc8f0904997bd3ca10f7599c9a6cf470ae0930ebbd5f66d4
                                                              • Opcode Fuzzy Hash: 2378b526618664f6b8a111eadb5d993e7b33a053a0a7c11c594e7a37b4b0e35c
                                                              • Instruction Fuzzy Hash: 3BC1BE71E05219CBCF99DFA8C4546AEBBF3EF88318F158429D906E7355DF349A018BA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01850FA7, Relevance: 2.6, Strings: 2, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID: T^L$T^L
                                                              • API String ID: 0-1526068739
                                                              • Opcode ID: d890a168b306b383013f88bfd24bc395329f39ac669fb676eb536041ca670e57
                                                              • Instruction ID: 06cf8cbe24574f90371fac114975ff48ae838c5ee7977aa2082bf1bf6593a576
                                                              • Opcode Fuzzy Hash: d890a168b306b383013f88bfd24bc395329f39ac669fb676eb536041ca670e57
                                                              • Instruction Fuzzy Hash: 58518E70E162599FDB58CFAADA846AEFBF3EF89300F14946AD805EB255D7344A018F10
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01850FD8, Relevance: 2.6, Strings: 2, Instructions: 131COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID: T^L$T^L
                                                              • API String ID: 0-1526068739
                                                              • Opcode ID: 54fbff03956d33d0878bd019a9fe1e310a8230ae75937a487d1003f0b36ab45a
                                                              • Instruction ID: 739b3205351838ac81faad4b84002b6316d13804ed7acee58999eebb23122fb5
                                                              • Opcode Fuzzy Hash: 54fbff03956d33d0878bd019a9fe1e310a8230ae75937a487d1003f0b36ab45a
                                                              • Instruction Fuzzy Hash: 58515E70F152199BDB58CFAAD9846AEFBB3FB88300F14D46AD909EB215DB344A418F10
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01851362, Relevance: 2.6, Strings: 2, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID: T^L$T^L
                                                              • API String ID: 0-1526068739
                                                              • Opcode ID: dd87101c77dbea19d509f14d08c92f0750833ff74fe3286d5be26bf8e589190c
                                                              • Instruction ID: f754033ce77be507cf06e9181244a44e5e3194182253f9c9cbea31aa1ca41b67
                                                              • Opcode Fuzzy Hash: dd87101c77dbea19d509f14d08c92f0750833ff74fe3286d5be26bf8e589190c
                                                              • Instruction Fuzzy Hash: BE31B074F262499FCB54CFA8DAC466EF6B3FB88300F109529E805EB215D7344B018B10
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01854D10, Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID: fH5d
                                                              • API String ID: 0-2842610764
                                                              • Opcode ID: a537b2f46952b08958cb64116b2e30c9470258dd2cb061bd89c1446a7463365b
                                                              • Instruction ID: caacc58a435b07324694ade5b3c84efd5e9f58815d70b7e8c60a0a99026dad4e
                                                              • Opcode Fuzzy Hash: a537b2f46952b08958cb64116b2e30c9470258dd2cb061bd89c1446a7463365b
                                                              • Instruction Fuzzy Hash: 2D811774E1521ACB8B44CFA9D4815EEFBF2EF89301F10942AD815F7314EB389A428F95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01854D00, Relevance: 1.4, Strings: 1, Instructions: 193COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID: fH5d
                                                              • API String ID: 0-2842610764
                                                              • Opcode ID: 88403ebb43a0296c04f5e596222e3103705a12c7eb8004d9665953182a88fcb3
                                                              • Instruction ID: 970a8e2f02d62bfb9a0201beec6505245186ed6a7ce270148d0f23f47ce49edb
                                                              • Opcode Fuzzy Hash: 88403ebb43a0296c04f5e596222e3103705a12c7eb8004d9665953182a88fcb3
                                                              • Instruction Fuzzy Hash: 1171F674E1521ACB8B44CFA9D4815EEFBF2EF89301F10942AD815F7354EB389A428F95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00D792F3, Relevance: .7, Instructions: 743COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.257885853.0000000000D72000.00000002.00020000.sdmp, Offset: 00D70000, based on PE: true
                                                              • Associated: 00000000.00000002.257873813.0000000000D70000.00000002.00020000.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f720eb0a428f1f091901c7c13ae87ef12219b5f32e82b5c4e4df2a5ea3174668
                                                              • Instruction ID: b059ba4653a1c53581d4f10b7906e517c448c91bd8959da819147127a24e8c70
                                                              • Opcode Fuzzy Hash: f720eb0a428f1f091901c7c13ae87ef12219b5f32e82b5c4e4df2a5ea3174668
                                                              • Instruction Fuzzy Hash: 9052E2A280E3D19FCB138B789CB55E1BFB0AE6721471E45CBD4C18F0A3E119695BD722
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 018528E8, Relevance: .3, Instructions: 263COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2778d47d02989ec5e3a4d9674d84aca262b0fe8ff406e0fae5c11289206ab1f5
                                                              • Instruction ID: daac64086640e8678262999a0ec6656da74d9399029de8a63e27a1543e983f47
                                                              • Opcode Fuzzy Hash: 2778d47d02989ec5e3a4d9674d84aca262b0fe8ff406e0fae5c11289206ab1f5
                                                              • Instruction Fuzzy Hash: B5C118B4E04219DBDB14CF99D980AAEFBB2FF89314F248169D904AB315DB349A41CF61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 018528D9, Relevance: .2, Instructions: 236COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 69f2923f45c921fa94d8f42c13159eebe6265f21f74520da56214e4be2bcddf4
                                                              • Instruction ID: 8511f8a87179b80f24caf7fc3bcbdc247c9abd80cc68550e3d4f62d0e7a418f5
                                                              • Opcode Fuzzy Hash: 69f2923f45c921fa94d8f42c13159eebe6265f21f74520da56214e4be2bcddf4
                                                              • Instruction Fuzzy Hash: 0FB10874E04219DBDB14CFA9C980AAEFBB2FF89314F248169D904AB355DB349A41CF61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01856AC8, Relevance: .2, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0ac6b25d43d5df707a90c04035f34b6c00ba9806f1bbe9c69438a341ee8f8c4d
                                                              • Instruction ID: c727e0980e866756d0aced201f9aab3ebf5816d5488bdad7c2a424eb799ecc76
                                                              • Opcode Fuzzy Hash: 0ac6b25d43d5df707a90c04035f34b6c00ba9806f1bbe9c69438a341ee8f8c4d
                                                              • Instruction Fuzzy Hash: 2F515D70E051299BDB54CFAADA8059EFBF2FF89304F64D16AD808E7205E7309A41CF61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01856AB8, Relevance: .1, Instructions: 148COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9b70df58869b2ca9afd7c465fd091f004faf963968f10a4a04dfab0ea143aecf
                                                              • Instruction ID: b8a5197c170113fc53e12f794f2dcff8a34b4ccc882c80d05a2c7a8e1c0b65e3
                                                              • Opcode Fuzzy Hash: 9b70df58869b2ca9afd7c465fd091f004faf963968f10a4a04dfab0ea143aecf
                                                              • Instruction Fuzzy Hash: D0513974E051299BDB54CFAADA8059EFBB2FF89300F64D16AD808E7215E7309A41CF61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 018515DD, Relevance: .1, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f14c959199317f15781d75b1029def144b53dba0acfd6730f870fc4779502d0e
                                                              • Instruction ID: 88ec201cf9bd490457d26dc6a4cb94f345de04fca8fbc7fba13f8fb7a9fcf894
                                                              • Opcode Fuzzy Hash: f14c959199317f15781d75b1029def144b53dba0acfd6730f870fc4779502d0e
                                                              • Instruction Fuzzy Hash: 95614B74E142298FDB54CF69C984A9EFBF2FF89314F1481AAD808A7215D7319E41CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01851610, Relevance: .1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8dae6eb4bb1ba65d19cfc3b4c948aa955a4abc8c99b0f2b88258ddaa9553e1af
                                                              • Instruction ID: 55b033ba566858096b895657ea3ed10f67b4fd8fed5c215a1a26c293e0b7b122
                                                              • Opcode Fuzzy Hash: 8dae6eb4bb1ba65d19cfc3b4c948aa955a4abc8c99b0f2b88258ddaa9553e1af
                                                              • Instruction Fuzzy Hash: 3B513774E142289BDB54CF59D984AAEFBF2FF89314F14C1A9D808A7315DB309A41CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01856B6A, Relevance: .1, Instructions: 124COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ed1fa59c4b6cf6e8f0af2796589c42ed86c7396e5327366204e1e522f1c2e5ec
                                                              • Instruction ID: c11fbeea85a91664ed644a44683738ce141efee9a16df703cb58ed76266c5874
                                                              • Opcode Fuzzy Hash: ed1fa59c4b6cf6e8f0af2796589c42ed86c7396e5327366204e1e522f1c2e5ec
                                                              • Instruction Fuzzy Hash: 0B518D74E051299BCB64CF99DA809AEFBB2FF84304F649159D805EB305E7309A42CF61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01853AB0, Relevance: .1, Instructions: 93COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 402905f8f659de93ca3a41efd456996761652356f5129561ed924a02e6f1ef9c
                                                              • Instruction ID: a0290eded08e8b89082261779c5d9d48c9764e8d2a351a0520a1d949a34b9d38
                                                              • Opcode Fuzzy Hash: 402905f8f659de93ca3a41efd456996761652356f5129561ed924a02e6f1ef9c
                                                              • Instruction Fuzzy Hash: 01314871E012189BDB58CFAAD942B9EFBF2FBC8344F14C06AD908A7255DB305A44CF55
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01853AA1, Relevance: .1, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 50a53d00ea662eed3683a04eeb3ba96e6379814e59f49345d2cded4929ebac28
                                                              • Instruction ID: 26796219c78f2e89b7126ce527430762f85f4027f03247ce638f73eded4aadc6
                                                              • Opcode Fuzzy Hash: 50a53d00ea662eed3683a04eeb3ba96e6379814e59f49345d2cded4929ebac28
                                                              • Instruction Fuzzy Hash: 75315771E012199FEB58CFAAC941A9EBBF2FB88300F15C06AD908AB255DB304A45CF55
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01850012, Relevance: .1, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.259609804.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2b9a7b65240786490713f21c60b84208759a2070a66f41f0624cd0b5a2d40ddc
                                                              • Instruction ID: bc2bb337933d5deecc50f421e7f499633ef303e7274ed40f7d74cac159da32e1
                                                              • Opcode Fuzzy Hash: 2b9a7b65240786490713f21c60b84208759a2070a66f41f0624cd0b5a2d40ddc
                                                              • Instruction Fuzzy Hash: 4231FB71E05658CFEB59CFAAC84079EBBF3AFC9300F05C0AAC448AB255DB3409458F52
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Analysis Process: #1002021.exe PID: 2672 Parent PID: 4612 #1002021.exeCOMMON

                                                              Executed Functions

                                                              Function 00FC6940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 00FC69A0
                                                              • GetCurrentThread.KERNEL32 ref: 00FC69DD
                                                              • GetCurrentProcess.KERNEL32 ref: 00FC6A1A
                                                              • GetCurrentThreadId.KERNEL32 ref: 00FC6A73
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.505732820.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: 124faf4504f2c09826fd933556b547a82e4872c23f119836d56c3ffa28dbfb1e
                                                              • Instruction ID: 66cac55552d45a366c856f3adfe4769207e360c8b26a7e17a45a2dc602f4f12d
                                                              • Opcode Fuzzy Hash: 124faf4504f2c09826fd933556b547a82e4872c23f119836d56c3ffa28dbfb1e
                                                              • Instruction Fuzzy Hash: 775143B49042498FDB10CFAAD649BEEBBF0AF88314F24845DE409A7390DB746885CF65
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00FC5084, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00FC51A2
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.505732820.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                                                              Similarity
                                                              • API ID: CreateWindow
                                                              • String ID:
                                                              • API String ID: 716092398-0
                                                              • Opcode ID: f1ce3d1aad49cb1fa3d4ffd1da85e7c73f42524f1527d7a688bbe565290c3d11
                                                              • Instruction ID: 6bc6a310663552bdd5eabcdb949884935450a38fa2790ae080aed2cf720f2fbc
                                                              • Opcode Fuzzy Hash: f1ce3d1aad49cb1fa3d4ffd1da85e7c73f42524f1527d7a688bbe565290c3d11
                                                              • Instruction Fuzzy Hash: 6151D2B1D003499FDF14CF99C985ADEBBB5FF48354F24812AE815AB210D774A885CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 05F9E438, Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.512114780.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1be46c04b1bdc6e0b19488907db6b01f475ac010f7ed24b55feebef8f21adbb3
                                                              • Instruction ID: 12c6500b2e5bda5b9dc16a5a9685aafc2db4bbf6128bbf61ec0631d44299894e
                                                              • Opcode Fuzzy Hash: 1be46c04b1bdc6e0b19488907db6b01f475ac010f7ed24b55feebef8f21adbb3
                                                              • Instruction Fuzzy Hash: 5D312672E087558FCB08CB78D8147AEBBB5AF85210F0685ABD508E7251EB789885CBD1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00FC5090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00FC51A2
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.505732820.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                                                              Similarity
                                                              • API ID: CreateWindow
                                                              • String ID:
                                                              • API String ID: 716092398-0
                                                              • Opcode ID: 94783679bd5e22fb96d47787039f8e1494cd14e9018cefec13385567ef23dc43
                                                              • Instruction ID: ba0809386c8adc74cb925ff9e33892cf68129fc022fe140d56a3d374fd8d3548
                                                              • Opcode Fuzzy Hash: 94783679bd5e22fb96d47787039f8e1494cd14e9018cefec13385567ef23dc43
                                                              • Instruction Fuzzy Hash: 0E41C1B1D003499FDF14CF99C984ADEBBB5BF88354F24812AE819AB210D774A985CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00FC779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 00FC7F01
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.505732820.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                                                              Similarity
                                                              • API ID: CallProcWindow
                                                              • String ID:
                                                              • API String ID: 2714655100-0
                                                              • Opcode ID: 80ca7375d70da7f21fd98eac9d0904146b44dc0ec521b0f2d040bf1f39a440b0
                                                              • Instruction ID: d563be82eb05ae74a922d2f60582304ba56c5022d9f79a82037ccf421b58e66c
                                                              • Opcode Fuzzy Hash: 80ca7375d70da7f21fd98eac9d0904146b44dc0ec521b0f2d040bf1f39a440b0
                                                              • Instruction Fuzzy Hash: 924107B5A043068FDB14DF99C489BAABBF5FB88314F24849DE419A7321D774A841DFA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00FCC189, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlEncodePointer.NTDLL(00000000), ref: 00FCC212
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.505732820.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                                                              Similarity
                                                              • API ID: EncodePointer
                                                              • String ID:
                                                              • API String ID: 2118026453-0
                                                              • Opcode ID: 594abb94790e083b8b592f97c474995e4f4899cfccd9a31fda6d35a33654b2f0
                                                              • Instruction ID: 7105a69cb38a346a975951367cd8135113ad95aac811ea8366132b5b76e959e6
                                                              • Opcode Fuzzy Hash: 594abb94790e083b8b592f97c474995e4f4899cfccd9a31fda6d35a33654b2f0
                                                              • Instruction Fuzzy Hash: EB31EFB58053898FDB10DFA9EA0979E7FF4FB49318F18805DE448A7242C7785906DFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00FC6B62, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FC6BEF
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.505732820.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: e0e50cd0cfa4bb6d49d30bc09e36c1c82acc848f4f38d2eb93f27ef76a9524bb
                                                              • Instruction ID: 4a3166c41eeccfb2822837081e84ab72dda065a196291b85fad8b148c53cd5dc
                                                              • Opcode Fuzzy Hash: e0e50cd0cfa4bb6d49d30bc09e36c1c82acc848f4f38d2eb93f27ef76a9524bb
                                                              • Instruction Fuzzy Hash: 592103B5900249AFDB00CF99D984BEEBBF8EB48324F14801AE914A3350D374A944CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00FC6B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FC6BEF
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.505732820.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 845f8452efc71ef23c1d4fb0c1261327bb40de35e1b19942e67457466f332ef3
                                                              • Instruction ID: b1f4f58cd4d19b1caef9594a6ac679cb9197d851356105e1d9a4adae886dd913
                                                              • Opcode Fuzzy Hash: 845f8452efc71ef23c1d4fb0c1261327bb40de35e1b19942e67457466f332ef3
                                                              • Instruction Fuzzy Hash: 3C21E4B5D042499FDB10CF99D984BEEBBF4EB48324F14841AE954A7350D374A944CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 05F9E508, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,05F9E48A), ref: 05F9E577
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.512114780.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false
                                                              Similarity
                                                              • API ID: GlobalMemoryStatus
                                                              • String ID:
                                                              • API String ID: 1890195054-0
                                                              • Opcode ID: be999d8673058dcb2e4639cf6b59a22dabf43d716ed4b47b66dd45c2ef7b05c3
                                                              • Instruction ID: e522c3ea94d9e14ff9b3f93d07912802c47841a266c4517f4630ea249646c7fb
                                                              • Opcode Fuzzy Hash: be999d8673058dcb2e4639cf6b59a22dabf43d716ed4b47b66dd45c2ef7b05c3
                                                              • Instruction Fuzzy Hash: 602127B1C04659DFCB00CF9AC844B9EFBF4AF48224F06816AE918A7640D378A945CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 05F9CF8C, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,05F9E48A), ref: 05F9E577
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.512114780.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false
                                                              Similarity
                                                              • API ID: GlobalMemoryStatus
                                                              • String ID:
                                                              • API String ID: 1890195054-0
                                                              • Opcode ID: 9961d7919aed9be171c2fe3011187f439248597ece77b5eb95318882da45aa44
                                                              • Instruction ID: a76787402fb94d1d49313af2439de489aa472e8681289b268f4bdb7d1422a905
                                                              • Opcode Fuzzy Hash: 9961d7919aed9be171c2fe3011187f439248597ece77b5eb95318882da45aa44
                                                              • Instruction Fuzzy Hash: 9C1117B1C04659DBDB10DF9AD444BEEFBF8EB48224F05812AD914B7240E378A955CFE1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00FCC198, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlEncodePointer.NTDLL(00000000), ref: 00FCC212
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.505732820.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                                                              Similarity
                                                              • API ID: EncodePointer
                                                              • String ID:
                                                              • API String ID: 2118026453-0
                                                              • Opcode ID: a21324f60cc2c237e8d7edcc0d4d011fd8d572230ad8ce99e433d4a2c9407095
                                                              • Instruction ID: 27eda9b61e88cabadbcbdf98900b34e40c50eadd66c904a7247cc2a50b232ec0
                                                              • Opcode Fuzzy Hash: a21324f60cc2c237e8d7edcc0d4d011fd8d572230ad8ce99e433d4a2c9407095
                                                              • Instruction Fuzzy Hash: 3D1167B19013498FDB20DFAADA09B9EBBF4FB48364F24842DD409E7641C7786945CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00FC3300, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00FC4116
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.505732820.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 4082082d5b3adc85782c8f0f3c41a55ede63d49227098b77caf9df3254fc43b8
                                                              • Instruction ID: 51a6cd7c47e5529e44282ae99d4a7b82d49d44955cf9e9f4ad8c54787bdfe985
                                                              • Opcode Fuzzy Hash: 4082082d5b3adc85782c8f0f3c41a55ede63d49227098b77caf9df3254fc43b8
                                                              • Instruction Fuzzy Hash: F61123B2C042498BDB10CF9AD444BEEBBF4EB88324F14802ED829B7600D374A545CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00FC40AA, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00FC4116
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.505732820.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 8c9bee9afc1037677c94342fdd44e846893484915cd422691d20b9086b4a2b21
                                                              • Instruction ID: e49fa98c82bdaf35b5304a558e1f274ef83adc2047f1e8f316983c8684763e85
                                                              • Opcode Fuzzy Hash: 8c9bee9afc1037677c94342fdd44e846893484915cd422691d20b9086b4a2b21
                                                              • Instruction Fuzzy Hash: D81132B6C042498FDB10CF9AC945BDEFBF4EB88324F04802AD429B7600C378A545CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00F1D01C, Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.505413194.0000000000F1D000.00000040.00000001.sdmp, Offset: 00F1D000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 13a20f49133f03d0700ea0bc452d45c503bee34439d9e9cb7a260330a823926a
                                                              • Instruction ID: 30df41b08f095799f2f65cceae317bc2b87768b05db4e8b8510cce0e7964793d
                                                              • Opcode Fuzzy Hash: 13a20f49133f03d0700ea0bc452d45c503bee34439d9e9cb7a260330a823926a
                                                              • Instruction Fuzzy Hash: 7B21F575A08340DFDB14CF14D8C0B66BB75FB88324F24C569D9494B24AC33AD887EA61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00F1D005, Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.505413194.0000000000F1D000.00000040.00000001.sdmp, Offset: 00F1D000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 070eb7074fbc2a1d67fdcc8c25f3a725a5de12e10b14d7ca71bc451ef40dd36b
                                                              • Instruction ID: 3e143e76b657e2be00f6dc05ad85a618bcc9a843b55a0d76f51a537fb84bd980
                                                              • Opcode Fuzzy Hash: 070eb7074fbc2a1d67fdcc8c25f3a725a5de12e10b14d7ca71bc451ef40dd36b
                                                              • Instruction Fuzzy Hash: CF2180755093C08FCB02CF24D990755BF71EB46324F28C5EAD8498B697C33A984ADB62
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Non-executed Functions