Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report VJNPltkyHyI3CCo.exe

Overview

General Information

Sample Name:VJNPltkyHyI3CCo.exe
Analysis ID:385435
MD5:36a7049a4f3be8788f0c844319a5364b
SHA1:fbefd649daddd22154920dcae7dc79f8d6a036ff
SHA256:20251c86adaf2dc2cf0513e3dc83e78a768d1b016e0dcd738a0e55d3ba7227c4
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • VJNPltkyHyI3CCo.exe (PID: 1156 cmdline: 'C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe' MD5: 36A7049A4F3BE8788F0C844319A5364B)
    • VJNPltkyHyI3CCo.exe (PID: 748 cmdline: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe MD5: 36A7049A4F3BE8788F0C844319A5364B)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "office4@iykmoreentrprise.orgrwkWCM328mail.iykmoreentrprise.org"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000002.00000002.464818672.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000001.00000002.212559557.000000000465E000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.VJNPltkyHyI3CCo.exe.47c26f0.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.2.VJNPltkyHyI3CCo.exe.47c26f0.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                2.2.VJNPltkyHyI3CCo.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 1.2.VJNPltkyHyI3CCo.exe.47c26f0.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "office4@iykmoreentrprise.orgrwkWCM328mail.iykmoreentrprise.org"}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: VJNPltkyHyI3CCo.exeVirustotal: Detection: 17%Perma Link
                  Source: 2.2.VJNPltkyHyI3CCo.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: VJNPltkyHyI3CCo.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: VJNPltkyHyI3CCo.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_07FC24E8
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_07FC25B0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_07FC24D1
                  Source: global trafficTCP traffic: 192.168.2.3:49741 -> 66.70.204.222:587
                  Source: Joe Sandbox ViewIP Address: 66.70.204.222 66.70.204.222
                  Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                  Source: global trafficTCP traffic: 192.168.2.3:49741 -> 66.70.204.222:587
                  Source: unknownDNS traffic detected: queries for: mail.iykmoreentrprise.org
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmpString found in binary or memory: http://A84D2ljcLQUVG1tA.net
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmpString found in binary or memory: http://GTAZqk.com
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.472254348.0000000003338000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.474666607.0000000006420000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.472254348.0000000003338000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.472254348.0000000003338000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.472217023.0000000003330000.00000004.00000001.sdmpString found in binary or memory: http://iykmoreentrprise.org
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.472217023.0000000003330000.00000004.00000001.sdmpString found in binary or memory: http://mail.iykmoreentrprise.org
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.474666607.0000000006420000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.474666607.0000000006420000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.211954442.00000000034C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.211437768.00000000014F7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comF
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.211437768.00000000014F7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comFM
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.211437768.00000000014F7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comttva4
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000003.198143597.000000000646B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000003.200177966.000000000645C000.00000004.00000001.sdmp, VJNPltkyHyI3CCo.exe, 00000001.00000003.199446008.0000000006461000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%(
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212559557.000000000465E000.00000004.00000001.sdmp, VJNPltkyHyI3CCo.exe, 00000002.00000002.464818672.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                  System Summary:

                  barindex
                  .NET source code contains very large array initializationsShow sources
                  Source: 2.2.VJNPltkyHyI3CCo.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b5844D510u002d733Cu002d46BBu002dA6A0u002dC4CA702DE2D5u007d/u00352929DC6u002d28B3u002d4277u002d9F8Bu002d74711A720111.csLarge array initialization: .cctor: array initializer size 11967
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09448B38 NtQueryInformationProcess,1_2_09448B38
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09448B32 NtQueryInformationProcess,1_2_09448B32
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_0346DB4C1_2_0346DB4C
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_0346C3A01_2_0346C3A0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_0346E2111_2_0346E211
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_0346A7581_2_0346A758
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_07FC25B01_2_07FC25B0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_094405001_2_09440500
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_0944A9C01_2_0944A9C0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09440F701_2_09440F70
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_094477D81_2_094477D8
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_0944EA781_2_0944EA78
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09448E001_2_09448E00
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09441E101_2_09441E10
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_0944AE381_2_0944AE38
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_0944BD5F1_2_0944BD5F
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_0944BD701_2_0944BD70
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_094491131_2_09449113
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_094445201_2_09444520
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09441D281_2_09441D28
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_094445301_2_09444530
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_0944C9D01_2_0944C9D0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_094409E01_2_094409E0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_0944ADE21_2_0944ADE2
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_094409F01_2_094409F0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09448DF01_2_09448DF0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_0944A9B21_2_0944A9B2
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_094450601_2_09445060
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09442C781_2_09442C78
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_094424011_2_09442401
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_094404F01_2_094404F0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09442C881_2_09442C88
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_094440911_2_09444091
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_094440A01_2_094440A0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_094480AA1_2_094480AA
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_094480B01_2_094480B0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09440F601_2_09440F60
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_094443091_2_09444309
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_094443181_2_09444318
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09449BC01_2_09449BC0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09444FC11_2_09444FC1
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_094477C81_2_094477C8
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_094437D81_2_094437D8
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_094437E81_2_094437E8
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09449BB01_2_09449BB0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09443E701_2_09443E70
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_0944AE281_2_0944AE28
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09443AE01_2_09443AE0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09443E801_2_09443E80
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_0944E6801_2_0944E680
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09447A801_2_09447A80
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09447A901_2_09447A90
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09442A901_2_09442A90
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_01042D502_2_01042D50
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_0104ECA82_2_0104ECA8
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_0104AB202_2_0104AB20
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_01041FE02_2_01041FE0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_010426182_2_01042618
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_01049DB82_2_01049DB8
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_0104C4E82_2_0104C4E8
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_01067D702_2_01067D70
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_01066DD82_2_01066DD8
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_0106B0772_2_0106B077
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_010620A82_2_010620A8
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_01064A102_2_01064A10
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_010616C82_2_010616C8
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_0106A5A82_2_0106A5A8
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_0106EBB02_2_0106EBB0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_013C012C2_2_013C012C
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_013CFB602_2_013CFB60
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_013CBBE82_2_013CBBE8
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_013C5E482_2_013C5E48
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_013CBC292_2_013CBC29
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_013C763B2_2_013C763B
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_013C76D82_2_013C76D8
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_014A46A02_2_014A46A0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_014A46902_2_014A4690
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_014ADA002_2_014ADA00
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.211180292.0000000000FDE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSpecialNameAttribute.exe: vs VJNPltkyHyI3CCo.exe
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.211954442.00000000034C1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs VJNPltkyHyI3CCo.exe
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000003.207633242.0000000004777000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs VJNPltkyHyI3CCo.exe
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216980690.00000000093A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs VJNPltkyHyI3CCo.exe
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212018302.000000000350B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBmbMvfRMlutQbGRrEptzt.exe4 vs VJNPltkyHyI3CCo.exe
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.468839253.00000000013B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs VJNPltkyHyI3CCo.exe
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.465939429.0000000000F88000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs VJNPltkyHyI3CCo.exe
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.465844922.0000000000BDE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSpecialNameAttribute.exe: vs VJNPltkyHyI3CCo.exe
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.468729651.0000000001300000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs VJNPltkyHyI3CCo.exe
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.468885871.00000000013F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs VJNPltkyHyI3CCo.exe
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.464818672.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameBmbMvfRMlutQbGRrEptzt.exe4 vs VJNPltkyHyI3CCo.exe
                  Source: VJNPltkyHyI3CCo.exeBinary or memory string: OriginalFilenameSpecialNameAttribute.exe: vs VJNPltkyHyI3CCo.exe
                  Source: VJNPltkyHyI3CCo.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: VJNPltkyHyI3CCo.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: 2.2.VJNPltkyHyI3CCo.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 2.2.VJNPltkyHyI3CCo.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/1
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VJNPltkyHyI3CCo.exe.logJump to behavior
                  Source: VJNPltkyHyI3CCo.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: VJNPltkyHyI3CCo.exeVirustotal: Detection: 17%
                  Source: unknownProcess created: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe 'C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe'
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess created: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess created: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: VJNPltkyHyI3CCo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: VJNPltkyHyI3CCo.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09447DA9 push esi; ret 1_2_09447DAA
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_01047A37 push edi; retn 0000h2_2_01047A39
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.9009190253
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion:

                  barindex
                  Yara detected AntiVM3Show sources
                  Source: Yara matchFile source: 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: VJNPltkyHyI3CCo.exe PID: 1156, type: MEMORY
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeWindow / User API: threadDelayed 3480Jump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeWindow / User API: threadDelayed 6375Jump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe TID: 1844Thread sleep time: -100825s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe TID: 160Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe TID: 5076Thread sleep time: -15679732462653109s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe TID: 5080Thread sleep count: 3480 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe TID: 5080Thread sleep count: 6375 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeThread delayed: delay time: 100825Jump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: VMWARE
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.468657603.00000000012B0000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_0104E560 LdrInitializeThunk,2_2_0104E560
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Injects a PE file into a foreign processesShow sources
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeMemory written: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess created: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeJump to behavior
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.469260289.0000000001A60000.00000002.00000001.sdmpBinary or memory string: Program Manager
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.469260289.0000000001A60000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.469260289.0000000001A60000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.469260289.0000000001A60000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000002.00000002.464818672.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.212559557.000000000465E000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: VJNPltkyHyI3CCo.exe PID: 748, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: VJNPltkyHyI3CCo.exe PID: 1156, type: MEMORY
                  Source: Yara matchFile source: 1.2.VJNPltkyHyI3CCo.exe.47c26f0.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.VJNPltkyHyI3CCo.exe.47c26f0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.VJNPltkyHyI3CCo.exe.400000.0.unpack, type: UNPACKEDPE
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Tries to harvest and steal ftp login credentialsShow sources
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                  Tries to steal Mail credentials (via file access)Show sources
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Yara matchFile source: 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: VJNPltkyHyI3CCo.exe PID: 748, type: MEMORY

                  Remote Access Functionality:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000002.00000002.464818672.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.212559557.000000000465E000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: VJNPltkyHyI3CCo.exe PID: 748, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: VJNPltkyHyI3CCo.exe PID: 1156, type: MEMORY
                  Source: Yara matchFile source: 1.2.VJNPltkyHyI3CCo.exe.47c26f0.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.VJNPltkyHyI3CCo.exe.47c26f0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.VJNPltkyHyI3CCo.exe.400000.0.unpack, type: UNPACKEDPE

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Credentials in Registry1Security Software Discovery211Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  VJNPltkyHyI3CCo.exe17%VirustotalBrowse

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  2.2.VJNPltkyHyI3CCo.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                  Domains

                  SourceDetectionScannerLabelLink
                  mail.iykmoreentrprise.org1%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                  http://iykmoreentrprise.org0%Avira URL Cloudsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://www.fontbureau.comF0%URL Reputationsafe
                  http://www.fontbureau.comF0%URL Reputationsafe
                  http://www.fontbureau.comF0%URL Reputationsafe
                  http://www.fontbureau.comF0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://cps.letsencrypt.org00%URL Reputationsafe
                  http://cps.letsencrypt.org00%URL Reputationsafe
                  http://cps.letsencrypt.org00%URL Reputationsafe
                  http://cps.letsencrypt.org00%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://api.ipify.org%(0%Avira URL Cloudsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.fontbureau.comFM0%Avira URL Cloudsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://r3.i.lencr.org/00%URL Reputationsafe
                  http://r3.i.lencr.org/00%URL Reputationsafe
                  http://r3.i.lencr.org/00%URL Reputationsafe
                  http://r3.i.lencr.org/00%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://r3.o.lencr.org00%URL Reputationsafe
                  http://r3.o.lencr.org00%URL Reputationsafe
                  http://r3.o.lencr.org00%URL Reputationsafe
                  http://r3.o.lencr.org00%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                  https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                  https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                  https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                  http://GTAZqk.com0%Avira URL Cloudsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://A84D2ljcLQUVG1tA.net0%Avira URL Cloudsafe
                  http://www.fontbureau.comttva40%Avira URL Cloudsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  http://mail.iykmoreentrprise.org0%Avira URL Cloudsafe
                  http://cps.root-x1.letsencrypt.org00%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  iykmoreentrprise.org
                  		66.70.204.222
                  		truetrue
                    		unknown
                    mail.iykmoreentrprise.org
                    		unknown
                    		unknowntrueunknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://127.0.0.1:HTTP/1.1VJNPltkyHyI3CCo.exe, 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://iykmoreentrprise.orgVJNPltkyHyI3CCo.exe, 00000002.00000002.472217023.0000000003330000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.comVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersGVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                          		high
                          http://DynDns.comDynDNSVJNPltkyHyI3CCo.exe, 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comFVJNPltkyHyI3CCo.exe, 00000001.00000002.211437768.00000000014F7000.00000004.00000040.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/?VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://cps.letsencrypt.org0VJNPltkyHyI3CCo.exe, 00000002.00000002.474666607.0000000006420000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haVJNPltkyHyI3CCo.exe, 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                              		high
                              https://api.ipify.org%(VJNPltkyHyI3CCo.exe, 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              http://www.tiro.comVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                		high
                                http://www.goodfont.co.krVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comFMVJNPltkyHyI3CCo.exe, 00000001.00000002.211437768.00000000014F7000.00000004.00000040.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssVJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.carterandcone.comlVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://r3.i.lencr.org/0VJNPltkyHyI3CCo.exe, 00000002.00000002.474666607.0000000006420000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/cTheVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cnVJNPltkyHyI3CCo.exe, 00000001.00000003.200177966.000000000645C000.00000004.00000001.sdmp, VJNPltkyHyI3CCo.exe, 00000001.00000003.199446008.0000000006461000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-jones.htmlVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.jiyu-kobo.co.jp/VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://r3.o.lencr.org0VJNPltkyHyI3CCo.exe, 00000002.00000002.474666607.0000000006420000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/DPleaseVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers8VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                        		high
                                        https://api.ipify.org%GETMozilla/5.0VJNPltkyHyI3CCo.exe, 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		low
                                        http://GTAZqk.comVJNPltkyHyI3CCo.exe, 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fonts.comVJNPltkyHyI3CCo.exe, 00000001.00000003.198143597.000000000646B000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.urwpp.deDPleaseVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://A84D2ljcLQUVG1tA.netVJNPltkyHyI3CCo.exe, 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameVJNPltkyHyI3CCo.exe, 00000001.00000002.211954442.00000000034C1000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.comttva4VJNPltkyHyI3CCo.exe, 00000001.00000002.211437768.00000000014F7000.00000004.00000040.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.sakkal.comVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipVJNPltkyHyI3CCo.exe, 00000001.00000002.212559557.000000000465E000.00000004.00000001.sdmp, VJNPltkyHyI3CCo.exe, 00000002.00000002.464818672.0000000000402000.00000040.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://mail.iykmoreentrprise.orgVJNPltkyHyI3CCo.exe, 00000002.00000002.472217023.0000000003330000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://cps.root-x1.letsencrypt.org0VJNPltkyHyI3CCo.exe, 00000002.00000002.472254348.0000000003338000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown

                                            Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public

                                            IPDomainCountryFlagASNASN NameMalicious
                                            66.70.204.222
                                            		iykmoreentrprise.orgCanada
                                            		16276OVHFRtrue

                                            General Information

                                            Joe Sandbox Version:31.0.0 Emerald
                                            Analysis ID:385435
                                            Start date:12.04.2021
                                            Start time:14:20:16
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 8m 28s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Sample file name:VJNPltkyHyI3CCo.exe
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:26
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.spyw.evad.winEXE@3/1@2/1
                                            EGA Information:Failed
                                            HDC Information:
                                            • Successful, ratio: 0.1% (good quality ratio 0%)
                                            • Quality average: 43.3%
                                            • Quality standard deviation: 30.7%
                                            HCA Information:
                                            • Successful, ratio: 98%
                                            • Number of executed functions: 109
                                            • Number of non-executed functions: 31
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            • Found application associated with file extension: .exe
                                            Warnings:
                                            Show All
                                            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                            • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 93.184.220.29, 168.61.161.212, 104.43.139.144, 104.42.151.234, 13.107.42.23, 13.107.5.88, 20.82.209.183, 184.30.24.56, 40.88.32.150, 92.122.213.194, 92.122.213.247, 20.54.26.129, 13.88.21.125, 13.64.90.137, 2.17.179.193, 84.53.167.113
                                            • Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, client-office365-tas.msedge.net, ocos-office365-s2s.msedge.net, arc.msn.com.nsatc.net, config.edge.skype.com.trafficmanager.net, e-0009.e-msedge.net, config-edge-skype.l-0014.l-msedge.net, l-0014.config.skype.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, e15275.g.akamaiedge.net, arc.msn.com, cdn.onenote.net.edgekey.net, skypedataprdcoleus15.cloudapp.net, ocsp.digicert.com, wildcard.weather.microsoft.com.edgekey.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, cdn.onenote.net, config.edge.skype.com, www.bing.com, skypedataprdcolwus17.cloudapp.net, afdo-tas-offload.trafficmanager.net, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, tile-service.weather.microsoft.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, e1553.dspg.akamaiedge.net, l-0014.l-msedge.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net
                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            14:21:06API Interceptor793x Sleep call for process: VJNPltkyHyI3CCo.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            66.70.204.2220L2qr7kJMh40sxq.exeGet hashmaliciousBrowse
                                              ApuE9QrdQxe7Um6.exeGet hashmaliciousBrowse
                                                77iET1jNLJyV8ez.exeGet hashmaliciousBrowse
                                                  bOkrXdoYekZPyWI.exeGet hashmaliciousBrowse
                                                    ayZYB5SkqMPA06M.exeGet hashmaliciousBrowse
                                                      fyZ6iHys7ClIHFR.exeGet hashmaliciousBrowse
                                                        uMLNLd9kgPez84h.exeGet hashmaliciousBrowse
                                                          YQfInBo2DDpDfIX.exeGet hashmaliciousBrowse
                                                            ORDER 700198.exeGet hashmaliciousBrowse
                                                              sZJd8CIputxKLHL.exeGet hashmaliciousBrowse
                                                                MZE1fH3FADpILLo.exeGet hashmaliciousBrowse
                                                                  I5aSXk7QgcVm507.exeGet hashmaliciousBrowse
                                                                    H6KJ04yw37dsJsX.exeGet hashmaliciousBrowse
                                                                      hyUBmXyIgoC5I09.exeGet hashmaliciousBrowse
                                                                        3i8aJ4R0PXl4wT3.exeGet hashmaliciousBrowse
                                                                          AKBEsuPu9JfDXz3.exeGet hashmaliciousBrowse
                                                                            9W5K7OGmYCsPbcT.exeGet hashmaliciousBrowse
                                                                              c3oWuf8mb3ix7MY.exeGet hashmaliciousBrowse
                                                                                QAhqxmnssOm5ho4.exeGet hashmaliciousBrowse
                                                                                  Z2YtRnoxRhFt3lk.exeGet hashmaliciousBrowse

                                                                                    Domains

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                                                    ASN

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                    OVHFRSecuriteInfo.com.Trojan.MinerNET.8.21400.exeGet hashmaliciousBrowse
                                                                                    • 51.255.34.118
                                                                                    Anmodning om tilbud 12-04-2021#U00b7pdf.exeGet hashmaliciousBrowse
                                                                                    • 51.195.53.221
                                                                                    PAYMENT COPY.exeGet hashmaliciousBrowse
                                                                                    • 167.114.6.31
                                                                                    Swift copy.pdf.exeGet hashmaliciousBrowse
                                                                                    • 51.222.80.112
                                                                                    PO-4147074_pdf.exeGet hashmaliciousBrowse
                                                                                    • 51.195.53.221
                                                                                    kQVi54bTM0.exeGet hashmaliciousBrowse
                                                                                    • 5.196.102.93
                                                                                    cym4u.exeGet hashmaliciousBrowse
                                                                                    • 188.165.17.91
                                                                                    Statement-ID-(400603).vbsGet hashmaliciousBrowse
                                                                                    • 51.89.204.5
                                                                                    $108,459.00.htmlGet hashmaliciousBrowse
                                                                                    • 146.59.152.166
                                                                                    LtfVNumoON.exeGet hashmaliciousBrowse
                                                                                    • 144.217.30.204
                                                                                    giATspz5dw.exeGet hashmaliciousBrowse
                                                                                    • 142.4.204.181
                                                                                    SecuriteInfo.com.__vbaHresultCheckObj.21994.exeGet hashmaliciousBrowse
                                                                                    • 149.202.83.171
                                                                                    SecuriteInfo.com.Variant.Johnnie.321295.17359.exeGet hashmaliciousBrowse
                                                                                    • 91.121.140.167
                                                                                    fileshare.docGet hashmaliciousBrowse
                                                                                    • 188.165.245.148
                                                                                    SecuriteInfo.com.Variant.Bulz.421173.18141.exeGet hashmaliciousBrowse
                                                                                    • 51.89.77.2
                                                                                    R1210322PIR-2FQUOTATION(P21C00285).exeGet hashmaliciousBrowse
                                                                                    • 51.38.214.75
                                                                                    Notice of change schedule for CID_ CMA CGM AMBER 0QA8FS1NC 0QA8GN1NC - 1st Rev.pdf.exeGet hashmaliciousBrowse
                                                                                    • 51.195.53.221
                                                                                    Notice of change schedule for CID_ CMA CGM AMBER 0QA8FS1NC 0QA8GN1NC - 1st Rev.pdf_1.exeGet hashmaliciousBrowse
                                                                                    • 51.195.53.221
                                                                                    Purchase Order No.10056.exeGet hashmaliciousBrowse
                                                                                    • 51.195.53.221
                                                                                    Quotation_pdf.exeGet hashmaliciousBrowse
                                                                                    • 51.195.53.221

                                                                                    JA3 Fingerprints

                                                                                    No context

                                                                                    Dropped Files

                                                                                    No context

                                                                                    Created / dropped Files

                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VJNPltkyHyI3CCo.exe.log
                                                                                    Process:C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):1314
                                                                                    Entropy (8bit):5.350128552078965
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                                    MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                                    SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                                    SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                                    SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                                    Malicious:true
                                                                                    Reputation:high, very likely benign file
                                                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Entropy (8bit):7.803865308867252
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                                    File name:VJNPltkyHyI3CCo.exe
                                                                                    File size:836608
                                                                                    MD5:36a7049a4f3be8788f0c844319a5364b
                                                                                    SHA1:fbefd649daddd22154920dcae7dc79f8d6a036ff
                                                                                    SHA256:20251c86adaf2dc2cf0513e3dc83e78a768d1b016e0dcd738a0e55d3ba7227c4
                                                                                    SHA512:aaf5d36c7322e2f050debb26289f208dbd1388b1a980c7e0616ba4b7df42e95f60b382c3f5b88e9b1b4794c169d90332a19327230f0b011f13b7f595c4a40020
                                                                                    SSDEEP:12288:z63pA3f95jKm8HAKA1bBSxvVa6VsOMG6e46bXxec0N4iAhAMLsguzxWYTlK:qpa4m8HAKA3SNqG6jgvCyyhdxWYTs
                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....t`..............P.............^.... ........@.. ....................... ............@................................

                                                                                    File Icon

                                                                                    Icon Hash:9c9ee4f0f2d2d2da

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x4bc35e
                                                                                    Entrypoint Section:.text
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                    Time Stamp:0x6074018F [Mon Apr 12 08:15:11 2021 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:v4.0.30319
                                                                                    OS Version Major:4
                                                                                    OS Version Minor:0
                                                                                    File Version Major:4
                                                                                    File Version Minor:0
                                                                                    Subsystem Version Major:4
                                                                                    Subsystem Version Minor:0
                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    jmp dword ptr [00402000h]
                                                                                    or dword ptr [edx], ecx
                                                                                    or eax, 00000020h
                                                                                    add byte ptr [ecx+49h], cl
                                                                                    sub al, byte ptr [eax]
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    dec ebp
                                                                                    dec ebp
                                                                                    add byte ptr [edx], ch
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xbc30c0x4f.text
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xbe0000x11a3c.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xd00000xc.reloc
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x20000xba37c0xba400False0.920096214346data7.9009190253IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                    .rsrc0xbe0000x11a3c0x11c00False0.507840008803data5.85054037808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .reloc0xd00000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountry
                                                                                    RT_ICON0xbe1000x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                                                    RT_GROUP_ICON0xce9380x14data
                                                                                    RT_VERSION0xce95c0x3a4data
                                                                                    RT_MANIFEST0xced100xd25XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

                                                                                    Imports

                                                                                    DLLImport
                                                                                    mscoree.dll_CorExeMain

                                                                                    Version Infos

                                                                                    DescriptionData
                                                                                    Translation0x0000 0x04b0
                                                                                    LegalCopyrightCopyright Adobe Inc, Sel 2011 - 2021
                                                                                    Assembly Version1.0.0.0
                                                                                    InternalNameSpecialNameAttribute.exe
                                                                                    FileVersion1.0.0.0
                                                                                    CompanyNameAdobe Inc, Sel
                                                                                    LegalTrademarks
                                                                                    Comments
                                                                                    ProductNameImage Studio
                                                                                    ProductVersion1.0.0.0
                                                                                    FileDescriptionImage Studio
                                                                                    OriginalFilenameSpecialNameAttribute.exe

                                                                                    Network Behavior

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Apr 12, 2021 14:22:50.436736107 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:50.570462942 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:50.570601940 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:50.833848953 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:50.834433079 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:50.970660925 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:50.971146107 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:51.106420994 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:51.156291962 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:51.221162081 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:51.361119032 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:51.361181974 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:51.361213923 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:51.361365080 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:51.373605967 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:51.507543087 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:51.562681913 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:51.779840946 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:51.913562059 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:51.916742086 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:52.050908089 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:52.052015066 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:52.197036028 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:52.197877884 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:52.334011078 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:52.334661961 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:52.491643906 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:52.492017984 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:52.625983000 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:52.632345915 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:52.632644892 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:52.632867098 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:52.633090019 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:52.768244028 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:52.768296003 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:52.768328905 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:52.768359900 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:52.770149946 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:52.812777996 CEST49741587192.168.2.366.70.204.222

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Apr 12, 2021 14:20:54.282417059 CEST6493853192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:20:54.360526085 CEST53649388.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:20:54.747649908 CEST6015253192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:20:54.796515942 CEST53601528.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:20:55.078618050 CEST5754453192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:20:55.128582001 CEST53575448.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:02.091650963 CEST5598453192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:02.150515079 CEST53559848.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:03.015203953 CEST6418553192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:03.077584982 CEST53641858.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:05.027339935 CEST6511053192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:05.076035023 CEST53651108.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:05.965487957 CEST5836153192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:06.014250994 CEST53583618.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:07.100564957 CEST6349253192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:07.149406910 CEST53634928.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:08.059403896 CEST6083153192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:08.116575956 CEST53608318.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:25.293231010 CEST5872253192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:25.299341917 CEST5659653192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:25.300570965 CEST6410153192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:25.344033003 CEST53587228.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:25.348047972 CEST53565968.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:25.349284887 CEST53641018.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:28.104584932 CEST6010053192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:28.157736063 CEST53601008.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:34.428991079 CEST5319553192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:34.487699986 CEST53531958.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:39.763340950 CEST5014153192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:39.816123009 CEST53501418.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:40.961142063 CEST5302353192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:41.018534899 CEST53530238.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:41.914843082 CEST4956353192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:41.967256069 CEST53495638.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:42.952872038 CEST5135253192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:43.019298077 CEST53513528.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:44.368967056 CEST5934953192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:44.432106972 CEST53593498.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:47.789033890 CEST5708453192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:47.837738037 CEST53570848.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:54.222506046 CEST5882353192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:54.293562889 CEST53588238.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:22:04.008586884 CEST5756853192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:22:04.057455063 CEST53575688.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:22:07.453449965 CEST5054053192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:22:07.522109985 CEST53505408.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:22:18.253395081 CEST5436653192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:22:18.302119970 CEST53543668.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:22:39.251099110 CEST5303453192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:22:39.303725958 CEST53530348.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:22:41.328479052 CEST5776253192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:22:41.396962881 CEST53577628.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:22:47.999886036 CEST5543553192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:22:48.048607111 CEST53554358.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:22:49.165318012 CEST5071353192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:22:49.216259956 CEST53507138.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:22:50.113877058 CEST5613253192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:22:50.220279932 CEST53561328.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:22:50.244390011 CEST5898753192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:22:50.301708937 CEST53589878.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:22:56.786207914 CEST5657953192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:22:56.834899902 CEST53565798.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:23:01.025154114 CEST6063353192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:23:01.075602055 CEST53606338.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:23:02.307183027 CEST6129253192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:23:02.367217064 CEST53612928.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:23:04.606638908 CEST6361953192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:23:04.656563997 CEST53636198.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:23:12.221443892 CEST6493853192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:23:12.222440004 CEST6194653192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:23:12.281131983 CEST53619468.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:23:12.282808065 CEST53649388.8.8.8192.168.2.3

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                    Apr 12, 2021 14:22:50.113877058 CEST192.168.2.38.8.8.80x7377Standard query (0)mail.iykmoreentrprise.orgA (IP address)IN (0x0001)
                                                                                    Apr 12, 2021 14:22:50.244390011 CEST192.168.2.38.8.8.80x5d52Standard query (0)mail.iykmoreentrprise.orgA (IP address)IN (0x0001)

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                    Apr 12, 2021 14:22:50.220279932 CEST8.8.8.8192.168.2.30x7377No error (0)mail.iykmoreentrprise.orgiykmoreentrprise.orgCNAME (Canonical name)IN (0x0001)
                                                                                    Apr 12, 2021 14:22:50.220279932 CEST8.8.8.8192.168.2.30x7377No error (0)iykmoreentrprise.org66.70.204.222A (IP address)IN (0x0001)
                                                                                    Apr 12, 2021 14:22:50.301708937 CEST8.8.8.8192.168.2.30x5d52No error (0)mail.iykmoreentrprise.orgiykmoreentrprise.orgCNAME (Canonical name)IN (0x0001)
                                                                                    Apr 12, 2021 14:22:50.301708937 CEST8.8.8.8192.168.2.30x5d52No error (0)iykmoreentrprise.org66.70.204.222A (IP address)IN (0x0001)

                                                                                    SMTP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                                                    Apr 12, 2021 14:22:50.833848953 CEST5874974166.70.204.222192.168.2.3220-server.wlcserver.com ESMTP Exim 4.94 #2 Mon, 12 Apr 2021 16:22:50 +0400
                                                                                    220-We do not authorize the use of this system to transport unsolicited,
                                                                                    220 and/or bulk e-mail.
                                                                                    Apr 12, 2021 14:22:50.834433079 CEST49741587192.168.2.366.70.204.222EHLO 134349
                                                                                    Apr 12, 2021 14:22:50.970660925 CEST5874974166.70.204.222192.168.2.3250-server.wlcserver.com Hello 134349 [84.17.52.3]
                                                                                    250-SIZE 52428800
                                                                                    250-8BITMIME
                                                                                    250-PIPELINING
                                                                                    250-X_PIPE_CONNECT
                                                                                    250-STARTTLS
                                                                                    250 HELP
                                                                                    Apr 12, 2021 14:22:50.971146107 CEST49741587192.168.2.366.70.204.222STARTTLS
                                                                                    Apr 12, 2021 14:22:51.106420994 CEST5874974166.70.204.222192.168.2.3220 TLS go ahead

                                                                                    Code Manipulations

                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    Analysis Process: VJNPltkyHyI3CCo.exe PID: 1156 Parent PID: 5624

                                                                                    General

                                                                                    Start time:14:21:01
                                                                                    Start date:12/04/2021
                                                                                    Path:C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:'C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe'
                                                                                    Imagebase:0xf20000
                                                                                    File size:836608 bytes
                                                                                    MD5 hash:36A7049A4F3BE8788F0C844319A5364B
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:.Net C# or VB.NET
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.212559557.000000000465E000.00000004.00000001.sdmp, Author: Joe Security
                                                                                    Reputation:low

                                                                                    Chronological Activities

                                                                                    Analysis Process: VJNPltkyHyI3CCo.exe PID: 748 Parent PID: 1156

                                                                                    General

                                                                                    Start time:14:21:07
                                                                                    Start date:12/04/2021
                                                                                    Path:C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe
                                                                                    Imagebase:0xb20000
                                                                                    File size:836608 bytes
                                                                                    MD5 hash:36A7049A4F3BE8788F0C844319A5364B
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:.Net C# or VB.NET
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.464818672.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmp, Author: Joe Security
                                                                                    Reputation:low

                                                                                    Chronological Activities

                                                                                    Disassembly

                                                                                    Code Analysis

                                                                                    Reset < >

                                                                                      Analysis Process: VJNPltkyHyI3CCo.exe PID: 1156 Parent PID: 5624 VJNPltkyHyI3CCo.exeCOMMON

                                                                                      Executed Functions

                                                                                      Function 09441E10, Relevance: 7.8, Strings: 6, Instructions: 296COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: .X[R$J4}E$J4}E$LxI>$LxI>$LxI>
                                                                                      • API String ID: 0-3143404701
                                                                                      • Opcode ID: d1bf4c62bf4a503712bf0feea696b061115e18ce0dd157fc81376b1faa43b1e0
                                                                                      • Instruction ID: 3c7718400dbd73987bde813f9881e5dc72982849c6e7a1250185094c538c345c
                                                                                      • Opcode Fuzzy Hash: d1bf4c62bf4a503712bf0feea696b061115e18ce0dd157fc81376b1faa43b1e0
                                                                                      • Instruction Fuzzy Hash: 1ED16975D0520ACFDB04CF99C5818AEFBB2FF89350F648566D516AB314C734AA82CF94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 09441D28, Relevance: 6.6, Strings: 5, Instructions: 365COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: .X[R$J4}E$LxI>$LxI>$LxI>
                                                                                      • API String ID: 0-1377848819
                                                                                      • Opcode ID: 5c01dfdeac3f8441c9c630c2760251738a1383f90fa864888be6e9ca35cb83cb
                                                                                      • Instruction ID: 44719d4017283a006f20af580775fd2c2fc89060d82cbbcb507d16685a8e7fb8
                                                                                      • Opcode Fuzzy Hash: 5c01dfdeac3f8441c9c630c2760251738a1383f90fa864888be6e9ca35cb83cb
                                                                                      • Instruction Fuzzy Hash: F1F1CE74D0420ACFDB04CFA5C5818AEFBB2FF49355B6485AAD406AB216C735DA87CF90
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 094477D8, Relevance: 3.9, Strings: 3, Instructions: 161COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: K7;$K7;$etI2
                                                                                      • API String ID: 0-880602634
                                                                                      • Opcode ID: 1ed85bb711b6484cca1c0f65e95420c779038d75647e342cbea7bba19d8ea0cc
                                                                                      • Instruction ID: f8cb91a7520accf1cd3dd414982be3678d4440cfd47fc9bfccec2f7fbf4d9c8a
                                                                                      • Opcode Fuzzy Hash: 1ed85bb711b6484cca1c0f65e95420c779038d75647e342cbea7bba19d8ea0cc
                                                                                      • Instruction Fuzzy Hash: 8D71E474E11209DFDB04CFA9D5899ADFFB1FB88314F10882AE416A7354DB355942CF62
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 094477C8, Relevance: 2.7, Strings: 2, Instructions: 158COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: K7;$etI2
                                                                                      • API String ID: 0-269552531
                                                                                      • Opcode ID: f06339a1cad115fa1d442fbd1e3dd6b7251d6dd5bdf82d0f8d75593de9dab966
                                                                                      • Instruction ID: 7a023eb79c610d192b305fa82169e3ae60a42e09422480d95be56fcec35e2f51
                                                                                      • Opcode Fuzzy Hash: f06339a1cad115fa1d442fbd1e3dd6b7251d6dd5bdf82d0f8d75593de9dab966
                                                                                      • Instruction Fuzzy Hash: 0A61F474E11209DFDB04CFA9D589AADFFB1FB88315F10882AE806A7354DB345942CF22
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 09440500, Relevance: 2.6, Strings: 2, Instructions: 149COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: XGo$XGo
                                                                                      • API String ID: 0-3781630491
                                                                                      • Opcode ID: 7d452b31c01cffe83ed6397731c8a52434f2bc180d4a5200d9f3088480a1d1e3
                                                                                      • Instruction ID: 52a1c6aecc605d5b34b90de332ed0c64eb70bc04b59bfb32580fec512bfc399e
                                                                                      • Opcode Fuzzy Hash: 7d452b31c01cffe83ed6397731c8a52434f2bc180d4a5200d9f3088480a1d1e3
                                                                                      • Instruction Fuzzy Hash: 505106B4E0521A8FDB08CFAAC9406AEFBF2FF88350F14952AD509B7254D7349A51CF64
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 094404F0, Relevance: 2.6, Strings: 2, Instructions: 148COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: XGo$XGo
                                                                                      • API String ID: 0-3781630491
                                                                                      • Opcode ID: 44cf91398deec6eed202466df4d1ab639f84f46f2c102225120df2abc7189077
                                                                                      • Instruction ID: db7b3b0afba320e0865d23065c8efe7b3e0b0b9ef2a25bcd6a9ab103f9ed3d8b
                                                                                      • Opcode Fuzzy Hash: 44cf91398deec6eed202466df4d1ab639f84f46f2c102225120df2abc7189077
                                                                                      • Instruction Fuzzy Hash: A35148B4E056198FDB08CFAAD8405AEFBF2EFC8310F14C56AD505A7254D7348A52CF64
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 09448B32, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 09448BB7
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: InformationProcessQuery
                                                                                      • String ID:
                                                                                      • API String ID: 1778838933-0
                                                                                      • Opcode ID: 6690b9a3fa9d992a24ded495d96d1f7f007d73fbaa5b6daa1513f80c6ae21fcb
                                                                                      • Instruction ID: 1ac2d5511fadbad222d42aecc7afe1baa3fd3b139082a0ad7a822f30f767fb80
                                                                                      • Opcode Fuzzy Hash: 6690b9a3fa9d992a24ded495d96d1f7f007d73fbaa5b6daa1513f80c6ae21fcb
                                                                                      • Instruction Fuzzy Hash: 3721EFB5900649AFCB10CF9AD884ADEBBF4FB48324F10852EE959A7710C375A944CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 09448B38, Relevance: 1.6, APIs: 1, Instructions: 55nativeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 09448BB7
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: InformationProcessQuery
                                                                                      • String ID:
                                                                                      • API String ID: 1778838933-0
                                                                                      • Opcode ID: 1425deb5634b29a814b527365a5ec7969f89e13dc6307ba2c28c83a3159c6cfc
                                                                                      • Instruction ID: c88eb8ab246f737378d29e0e1d91c221e5771521a5da1d43e3f3fe07f9403101
                                                                                      • Opcode Fuzzy Hash: 1425deb5634b29a814b527365a5ec7969f89e13dc6307ba2c28c83a3159c6cfc
                                                                                      • Instruction Fuzzy Hash: 9021CEB59002599FCB10CF9AD884ADEBBF4FB48324F10852AE969A7310D375A944CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0944EA78, Relevance: 1.5, Strings: 1, Instructions: 213COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: AP B
                                                                                      • API String ID: 0-1661389546
                                                                                      • Opcode ID: 5e9b559d243fbcfb87edec96f0fd86ac4a28b53f7bd325ac1f2274a25f03a5ce
                                                                                      • Instruction ID: dbc1f884713f43ddfd1ea50c6980217605cbf13fb6ccfde794363a3b0e07c5f4
                                                                                      • Opcode Fuzzy Hash: 5e9b559d243fbcfb87edec96f0fd86ac4a28b53f7bd325ac1f2274a25f03a5ce
                                                                                      • Instruction Fuzzy Hash: 23914875D04629CFEB24CF66DC447DABBB2BB88300F14C5EAD50AA7254EB315A868F10
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 09442401, Relevance: 1.4, Strings: 1, Instructions: 135COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 4S-/
                                                                                      • API String ID: 0-3138144181
                                                                                      • Opcode ID: 659ec4535340aaa6406b11cb6cf8426392ad69341ce56eab92004832d26c9155
                                                                                      • Instruction ID: 57e8eb962951d47cd893dda8ee7bc231b47c5cccc87ac226d6726a33f97876d4
                                                                                      • Opcode Fuzzy Hash: 659ec4535340aaa6406b11cb6cf8426392ad69341ce56eab92004832d26c9155
                                                                                      • Instruction Fuzzy Hash: EE516C74E05219DFDB04CFA9C9409AEFBF1EF89360F14846AE024A7354D7709A42CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 09448E00, Relevance: .2, Instructions: 247COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4b8673b30ca0b3489fc7b868dad4838ff132ae41e1d1a3c034aecc644024fda2
                                                                                      • Instruction ID: 7a81bd8d563614e9ec641373873876e7a76c4daac434fd0d5d3f0e1e4f8f6d52
                                                                                      • Opcode Fuzzy Hash: 4b8673b30ca0b3489fc7b868dad4838ff132ae41e1d1a3c034aecc644024fda2
                                                                                      • Instruction Fuzzy Hash: 73B15974E15218CFEB14DFA8D98969EBBB2FF89341F10852AE40AB7350DB345941CF25
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 09448DF0, Relevance: .2, Instructions: 241COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b0a4bb3af30f73074bb7c7077b0fb47d1b9b2e5c615c14fa396d1a92013f1c6f
                                                                                      • Instruction ID: 931da18bcd48fb2d7264bfe50cb80a61a68f592502f7f88df1482b07526883db
                                                                                      • Opcode Fuzzy Hash: b0a4bb3af30f73074bb7c7077b0fb47d1b9b2e5c615c14fa396d1a92013f1c6f
                                                                                      • Instruction Fuzzy Hash: 21B15A74E15218CFEB14DFA8D9896DEBBB2FF88310F10852AE40AA7350DB345942CF25
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0944A9B2, Relevance: .2, Instructions: 239COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2863c871cfe50b01d64ef75a0b6e6f690e9d8126ff411a731d9f7c2d84f776a8
                                                                                      • Instruction ID: b1c7ef6e3f50c6f0197dbf6ea50075233f4e6144beb3adff51366880a69489fb
                                                                                      • Opcode Fuzzy Hash: 2863c871cfe50b01d64ef75a0b6e6f690e9d8126ff411a731d9f7c2d84f776a8
                                                                                      • Instruction Fuzzy Hash: 25A13574E412098FDB04CFA9CA455DEFBF2BF89310F14C62AD408EB354D73499428BA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0944A9C0, Relevance: .2, Instructions: 234COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0fd266081f220ed00f168b0381853749c31c814def81e394bfb959646019e410
                                                                                      • Instruction ID: 1996eac5108ab282d5570862f02dc681139b73172d3b5160ace090ec2658ff8e
                                                                                      • Opcode Fuzzy Hash: 0fd266081f220ed00f168b0381853749c31c814def81e394bfb959646019e410
                                                                                      • Instruction Fuzzy Hash: 2DA10374E412098FDB04CFE9C685ADEFBF2BF89314F14D62AD404AB354D73499468BA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0346DB4C, Relevance: .2, Instructions: 233COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.211860335.0000000003460000.00000040.00000001.sdmp, Offset: 03460000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ef0fd580508552b102aacf0b9e22a67a345241374db74293cc136a6a4ad23563
                                                                                      • Instruction ID: e3e91730cf0a306da319e5001a49fd86dad3ebfb79c94ffb6aa330b3539b73c6
                                                                                      • Opcode Fuzzy Hash: ef0fd580508552b102aacf0b9e22a67a345241374db74293cc136a6a4ad23563
                                                                                      • Instruction Fuzzy Hash: 2E918F38E003198FCB04DFA4D8549DDB7BAFF89314F25821AE415AF364EB70A989CB51
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0944ADE2, Relevance: .2, Instructions: 205COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a4b1f69a05e1ef939e8d3991f5f49cbb74717f7f200bc0784dc348dbe6779c0c
                                                                                      • Instruction ID: 6bfe1e5933b49024e61785355684b5511136f57cb4ec7f8d05bfe8895a5f2450
                                                                                      • Opcode Fuzzy Hash: a4b1f69a05e1ef939e8d3991f5f49cbb74717f7f200bc0784dc348dbe6779c0c
                                                                                      • Instruction Fuzzy Hash: 94817A74E4520A8FDB04CFEAD5855EEFBB2EF88310F24D52AD524A7254D7348A42CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 09449113, Relevance: .2, Instructions: 204COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b39436b3da33d85728c72f4fcdb4959c627b0c3d7bbfa620269c07ceda10bd58
                                                                                      • Instruction ID: f673c76b3965814c019893a5749085ec1fba13711435edfa907e38c7d0e1764e
                                                                                      • Opcode Fuzzy Hash: b39436b3da33d85728c72f4fcdb4959c627b0c3d7bbfa620269c07ceda10bd58
                                                                                      • Instruction Fuzzy Hash: 15913974E15218CFEB04DFA8D98969DBFB2FB88340F10856AE40AE7354DB349942CF25
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0346E211, Relevance: .2, Instructions: 194COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.211860335.0000000003460000.00000040.00000001.sdmp, Offset: 03460000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b080669e5f7210c530305dc18205a2e52a1120bfe59f5a4947a9db289819a613
                                                                                      • Instruction ID: 939fa29fee1e719d8794786cc6eabf3822fb5ac791a87542d2713df4bc9fc0cc
                                                                                      • Opcode Fuzzy Hash: b080669e5f7210c530305dc18205a2e52a1120bfe59f5a4947a9db289819a613
                                                                                      • Instruction Fuzzy Hash: 85816C39E003198FCB04DFA0D8548DDB7BAFF99310F25821AE515AF264EB70A989DB50
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0944AE28, Relevance: .2, Instructions: 193COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 394d78d3bbe29f2296699b61b29d51a264cbbe615606acac986fc38047030cd1
                                                                                      • Instruction ID: 469be2c499def0cf121fda627bd0b5aedf9887796f45016d93bc776a47e67871
                                                                                      • Opcode Fuzzy Hash: 394d78d3bbe29f2296699b61b29d51a264cbbe615606acac986fc38047030cd1
                                                                                      • Instruction Fuzzy Hash: B0717974E4120A8FDB04CFEAD5855EEFBB2EF88310F14D42AD524A7254D7348A428FA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0944AE38, Relevance: .2, Instructions: 190COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 576f0bbb24806d2d5ad25e049effe712645f83737eb43c84c683b40c83b56fae
                                                                                      • Instruction ID: 006234ea4ba1b383e44cb02476ec43166dc865906990b34481ce1f5326fc0564
                                                                                      • Opcode Fuzzy Hash: 576f0bbb24806d2d5ad25e049effe712645f83737eb43c84c683b40c83b56fae
                                                                                      • Instruction Fuzzy Hash: 97717974E4120A8FDB04CFEAD5855EEFBF2EF88310F24D42AD524A7254D7349A428FA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 09440F70, Relevance: .1, Instructions: 80COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 93b8700c9d4ff19adf7ad9916f25302c663acef6e0ff94461d66f3a1e5ec7eec
                                                                                      • Instruction ID: 2926ac8caf32832d26adcf13978c9f039a7effb9dd4dc940c78fcffa7fd893e2
                                                                                      • Opcode Fuzzy Hash: 93b8700c9d4ff19adf7ad9916f25302c663acef6e0ff94461d66f3a1e5ec7eec
                                                                                      • Instruction Fuzzy Hash: B731F3B5E016189BDB18CFAAD9846CEBBB3EFC8311F14C06AE409A7354DB355A85CF50
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 09440F60, Relevance: .1, Instructions: 65COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b0e7573b6ec770b85e5d2c760f6ce10dbfad627e6c4f5cf746ed663fa3721f65
                                                                                      • Instruction ID: c2472efd33505e0e0b54b01b884918b9506e81cef249c96f2d04be02b3cfe954
                                                                                      • Opcode Fuzzy Hash: b0e7573b6ec770b85e5d2c760f6ce10dbfad627e6c4f5cf746ed663fa3721f65
                                                                                      • Instruction Fuzzy Hash: 8021D6B1E056588BEB18CFAAC9543DEFBF3AFC9310F14C16AD409AA258DB741949CF50
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 07FC24D1, Relevance: .1, Instructions: 60COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.216760490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d799a65e40dde2f6edef652b790c17692c6cf06412ac0a6b8640751e5a95d661
                                                                                      • Instruction ID: 8e669b3ce81c00f7e41db206a7c8ea55b0a23d3d8cd30d74025a2af1eeb1fb13
                                                                                      • Opcode Fuzzy Hash: d799a65e40dde2f6edef652b790c17692c6cf06412ac0a6b8640751e5a95d661
                                                                                      • Instruction Fuzzy Hash: D81149B1D092598FCB15CFB4C5687EEBBB0FB0E301F0898AAD045B7291C7748989DB64
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 07FC24E8, Relevance: .1, Instructions: 53COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.216760490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9b415eb376e8245c1fe89b66a053c1ff8564d140a59073c5227fa2777d962657
                                                                                      • Instruction ID: 3ff7cb8d5f46f79da66fd19d7d456c2f9ef37926ed89e543926be390098bff5e
                                                                                      • Opcode Fuzzy Hash: 9b415eb376e8245c1fe89b66a053c1ff8564d140a59073c5227fa2777d962657
                                                                                      • Instruction Fuzzy Hash: 171118B1D0421A8FDB14DFA5C528BEEBAF1BB4E311F18946AD505B3290CB748984CB68
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0944D318, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0944D54E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: CreateProcess
                                                                                      • String ID:
                                                                                      • API String ID: 963392458-0
                                                                                      • Opcode ID: 9581b9f04b914490a67d76f731b4e7b059f29ac3d28421c6c4e2a4eb5718458a
                                                                                      • Instruction ID: d5bdd70725070a0354b5a80dea70014cdde14cc2ffc234c7b051565f501234fe
                                                                                      • Opcode Fuzzy Hash: 9581b9f04b914490a67d76f731b4e7b059f29ac3d28421c6c4e2a4eb5718458a
                                                                                      • Instruction Fuzzy Hash: 52914171D002198FEF10DFA8C8817DEB7B2BF48314F14856AE849A7380DB75A985CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0346BA50, Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0346BCA6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.211860335.0000000003460000.00000040.00000001.sdmp, Offset: 03460000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: HandleModule
                                                                                      • String ID:
                                                                                      • API String ID: 4139908857-0
                                                                                      • Opcode ID: 1908e93a7ea5facdc91ab0632a2f5232d81e5cd77f8de1e74befbd93da74c077
                                                                                      • Instruction ID: c7124227121f58fab35d3d91fa76a90728a56c14e4a514cd7cc5c188b822faa0
                                                                                      • Opcode Fuzzy Hash: 1908e93a7ea5facdc91ab0632a2f5232d81e5cd77f8de1e74befbd93da74c077
                                                                                      • Instruction Fuzzy Hash: FD7125B0A00B058FD724DF6AC44179ABBF5FF48604F04892ED486DBB40DB75E9098F96
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0346AAD4, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0346E02A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.211860335.0000000003460000.00000040.00000001.sdmp, Offset: 03460000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: CreateWindow
                                                                                      • String ID:
                                                                                      • API String ID: 716092398-0
                                                                                      • Opcode ID: e844c61ef60e2e03e45a71d5543591e9e33b1bfd43a2d60164cd996118b1e44e
                                                                                      • Instruction ID: 4db812103a9209063ebf75e28b2562ff3ec49ce7992ef0b699889727436c6c80
                                                                                      • Opcode Fuzzy Hash: e844c61ef60e2e03e45a71d5543591e9e33b1bfd43a2d60164cd996118b1e44e
                                                                                      • Instruction Fuzzy Hash: 4C51CEB1D00318DFDB14CFA9C984ADEBBF5BF48314F24822AE819AB210D7759985CF91
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0346DF0D, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0346E02A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.211860335.0000000003460000.00000040.00000001.sdmp, Offset: 03460000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: CreateWindow
                                                                                      • String ID:
                                                                                      • API String ID: 716092398-0
                                                                                      • Opcode ID: 577a68a145fbba7ba8b532f72fee2f39a831a83179a94b7194b459649e37841c
                                                                                      • Instruction ID: 66430d95a33a3ed07f88f77b4ddd63668aa562f0ac9dfbc031d1fbd909b499cf
                                                                                      • Opcode Fuzzy Hash: 577a68a145fbba7ba8b532f72fee2f39a831a83179a94b7194b459649e37841c
                                                                                      • Instruction Fuzzy Hash: 5051DFB1D00318DFDB14CF99C984ADEBBF5BF48310F24822AE819AB210D7749985CF91
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 03467009, Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 03467107
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.211860335.0000000003460000.00000040.00000001.sdmp, Offset: 03460000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: DuplicateHandle
                                                                                      • String ID:
                                                                                      • API String ID: 3793708945-0
                                                                                      • Opcode ID: df407ba99963b58149fda090655453710be672c2fe38e1537aff10e8fc16cbf6
                                                                                      • Instruction ID: b5d36485f7d071aee3555f48e8a657eadf3131621c7ad6275ae90cdf3d62372b
                                                                                      • Opcode Fuzzy Hash: df407ba99963b58149fda090655453710be672c2fe38e1537aff10e8fc16cbf6
                                                                                      • Instruction Fuzzy Hash: 27414A76900218AFCB01CF99D884ADEBFF9FB48314F14806AE914AB351D735A914DFA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0944D090, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0944D120
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: MemoryProcessWrite
                                                                                      • String ID:
                                                                                      • API String ID: 3559483778-0
                                                                                      • Opcode ID: 6289b281ac1bc7ac139a5b9e892646056145c3e34d2aab89663a3c3f1d27d4bd
                                                                                      • Instruction ID: 60831bb84705c701a40958cde2aef1c0020ac83093dec0955f17fcf5f9925d73
                                                                                      • Opcode Fuzzy Hash: 6289b281ac1bc7ac139a5b9e892646056145c3e34d2aab89663a3c3f1d27d4bd
                                                                                      • Instruction Fuzzy Hash: AA21F5719003599FDF10CFA9C884BDEBBF5FF48314F14842AE959A7240DB79A944CBA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 03467078, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 03467107
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.211860335.0000000003460000.00000040.00000001.sdmp, Offset: 03460000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: DuplicateHandle
                                                                                      • String ID:
                                                                                      • API String ID: 3793708945-0
                                                                                      • Opcode ID: 94645fa881182b62e4c5f5e41c654197a88138e3aa4356a7376cbe13529ca004
                                                                                      • Instruction ID: 8d7bed78f78f2efbd3b670fced6a8e6ff4ab00d802d8841e02d5deefcb39cf28
                                                                                      • Opcode Fuzzy Hash: 94645fa881182b62e4c5f5e41c654197a88138e3aa4356a7376cbe13529ca004
                                                                                      • Instruction Fuzzy Hash: 562103B59002189FDB00CFAAD884ADEBBF8FB48324F14801AE914A7310D378A944CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0944D180, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0944D200
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: MemoryProcessRead
                                                                                      • String ID:
                                                                                      • API String ID: 1726664587-0
                                                                                      • Opcode ID: c126263a8c80a243b2d1b707fa54fa6d60e770a888c61b8b0a1ce1b436b84b55
                                                                                      • Instruction ID: d3b2f26fd3780f6807308418bbf5f501a8ce80c2e4f021b3d3bc3718116d5566
                                                                                      • Opcode Fuzzy Hash: c126263a8c80a243b2d1b707fa54fa6d60e770a888c61b8b0a1ce1b436b84b55
                                                                                      • Instruction Fuzzy Hash: DF2119B1D002499FDB10CFA9C884ADEBBF5FF48314F50842AE559A7240C739A944CBA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0944C8F8, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetThreadContext.KERNELBASE(?,00000000), ref: 0944C976
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: ContextThread
                                                                                      • String ID:
                                                                                      • API String ID: 1591575202-0
                                                                                      • Opcode ID: 60864dd23e95a9795bf2210916a98974d2d390dd3a0b1122bd0f02552f6dd4dc
                                                                                      • Instruction ID: bb48b44e00d42115f6c65a81a047783ae2e1a4de9925f01e15e8ade8a84508d5
                                                                                      • Opcode Fuzzy Hash: 60864dd23e95a9795bf2210916a98974d2d390dd3a0b1122bd0f02552f6dd4dc
                                                                                      • Instruction Fuzzy Hash: 522134719002099FDB10CFAAC484BEEBBF4AF49324F54842AD459A7340DB78A944CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 03467080, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 03467107
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.211860335.0000000003460000.00000040.00000001.sdmp, Offset: 03460000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: DuplicateHandle
                                                                                      • String ID:
                                                                                      • API String ID: 3793708945-0
                                                                                      • Opcode ID: 85d19599c0537e59e2f0db229e5a1723ecb3be7326b7f4ab7a10611782bdad06
                                                                                      • Instruction ID: f4b05224011426f00858e56d8d15b4789cfafdd1cd1acfa792a27a56fe70b8a4
                                                                                      • Opcode Fuzzy Hash: 85d19599c0537e59e2f0db229e5a1723ecb3be7326b7f4ab7a10611782bdad06
                                                                                      • Instruction Fuzzy Hash: 5D21E2B59002189FDB10CFAAD884ADEBBF8FB48324F14841AE955A7310D778A944CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 094476CA, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VirtualProtect.KERNELBASE(?,?,?,?), ref: 09447743
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: ProtectVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 544645111-0
                                                                                      • Opcode ID: c024ad00ceebaaf79e6cd2785fb6e9136eb42b102bb12bd46063c8409472a41f
                                                                                      • Instruction ID: 2ae5ac3af48d56ffdc7f09fcff5163f4e5660cf152c41846115bda4a1461e6e5
                                                                                      • Opcode Fuzzy Hash: c024ad00ceebaaf79e6cd2785fb6e9136eb42b102bb12bd46063c8409472a41f
                                                                                      • Instruction Fuzzy Hash: 0E2106B59002099FDB10CF9AC585BDEBBF4BB48324F14842AE559A7640D378A645CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0346A998, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0346BD21,00000800,00000000,00000000), ref: 0346BF32
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.211860335.0000000003460000.00000040.00000001.sdmp, Offset: 03460000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad
                                                                                      • String ID:
                                                                                      • API String ID: 1029625771-0
                                                                                      • Opcode ID: c1a0910b7c4c0956c6815d99fb3083dfe59262c13f2f4f0c394720ecac486ec4
                                                                                      • Instruction ID: 4e7296246e133df31a1f36e12ef22936857f66c4f31db9dea6fcb9571f57d508
                                                                                      • Opcode Fuzzy Hash: c1a0910b7c4c0956c6815d99fb3083dfe59262c13f2f4f0c394720ecac486ec4
                                                                                      • Instruction Fuzzy Hash: 791114B29003088FDB14CF9AC444ADEFBF8EB48324F04842EE515AB300C775A945CFA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 094476D0, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VirtualProtect.KERNELBASE(?,?,?,?), ref: 09447743
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: ProtectVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 544645111-0
                                                                                      • Opcode ID: 92f6cdf77ebc829af682a87775871635b9b6fa2a9305e3b71378d60702fc561b
                                                                                      • Instruction ID: aaab3137fc172949a411de28612ba50a421d048b19d610c99d7c8b1a73bd1ca6
                                                                                      • Opcode Fuzzy Hash: 92f6cdf77ebc829af682a87775871635b9b6fa2a9305e3b71378d60702fc561b
                                                                                      • Instruction Fuzzy Hash: D021E4B59006099FDB10CF9AC884BDEFBF4FB48324F54842AE559A7240D778AA45CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0944CFD0, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0944D03E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 4275171209-0
                                                                                      • Opcode ID: 624d49313450e0e74e8efe5663f12885aae05f46dda9081b014a2498fd79f815
                                                                                      • Instruction ID: 4e0d540a86b65cffbf006cc588f916040ef61dac6e2bcb763460192f619a84d2
                                                                                      • Opcode Fuzzy Hash: 624d49313450e0e74e8efe5663f12885aae05f46dda9081b014a2498fd79f815
                                                                                      • Instruction Fuzzy Hash: D9113A719002489FDF10CFA9C844BDFBBF5AF48328F14841AE519A7250CB75A944CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0346BEC0, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0346BD21,00000800,00000000,00000000), ref: 0346BF32
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.211860335.0000000003460000.00000040.00000001.sdmp, Offset: 03460000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad
                                                                                      • String ID:
                                                                                      • API String ID: 1029625771-0
                                                                                      • Opcode ID: 7d571b8747b709137dc8980de3f0ffdbf28c8e2279657052da1bc382435a9070
                                                                                      • Instruction ID: 0660f84f027b4d492ccc645e9de9d5ceaaa620839953b2711db6022cca3d6507
                                                                                      • Opcode Fuzzy Hash: 7d571b8747b709137dc8980de3f0ffdbf28c8e2279657052da1bc382435a9070
                                                                                      • Instruction Fuzzy Hash: 741114B6D002098FDB10CF9AC584ADEFBF4EB48324F14852AD519AB700C775A545CFA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0944A7D8, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • OutputDebugStringW.KERNELBASE(00000000), ref: 0944A850
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: DebugOutputString
                                                                                      • String ID:
                                                                                      • API String ID: 1166629820-0
                                                                                      • Opcode ID: 2887fc14473a11fddfe2b78862387d4a4349ff1b7369b2b91253351d240a090c
                                                                                      • Instruction ID: 3e299230bcf3d84d7578af30274c8cab1fcec3525661f60de24ceb9ba3a4b16a
                                                                                      • Opcode Fuzzy Hash: 2887fc14473a11fddfe2b78862387d4a4349ff1b7369b2b91253351d240a090c
                                                                                      • Instruction Fuzzy Hash: FC1144B1D006198FDB10CF9AD484B9EFBF4FB48324F04812AD819A7740D7346A45CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0944A7E0, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • OutputDebugStringW.KERNELBASE(00000000), ref: 0944A850
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: DebugOutputString
                                                                                      • String ID:
                                                                                      • API String ID: 1166629820-0
                                                                                      • Opcode ID: 34c398569d22ca4e049dfcdae70154d6686dd56ca80ada1c151d2e43561e84dd
                                                                                      • Instruction ID: 3775deedb17406c16e08634f87e58d0157a943f832f1af29b2f1236e5f56ed7f
                                                                                      • Opcode Fuzzy Hash: 34c398569d22ca4e049dfcdae70154d6686dd56ca80ada1c151d2e43561e84dd
                                                                                      • Instruction Fuzzy Hash: 3C1123B1D006199BDB10CF9AD484B9EFBF4FB48324F04812AE819A7340D734AA45CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0944C848, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: ResumeThread
                                                                                      • String ID:
                                                                                      • API String ID: 947044025-0
                                                                                      • Opcode ID: 7ab0ab3ed3f535b3269b84fb373a2de03f7f0adfb1302a0142cfea545cbb5d7f
                                                                                      • Instruction ID: 3586bca0ec212a210329386ec5f36d957b82648cbf8182971e7e1fdcd637b6f5
                                                                                      • Opcode Fuzzy Hash: 7ab0ab3ed3f535b3269b84fb373a2de03f7f0adfb1302a0142cfea545cbb5d7f
                                                                                      • Instruction Fuzzy Hash: DB11F8B1D042488FDB10DFAAC4847DEBBF5AF88324F14842AD559A7240CB79A944CFA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0346DB34, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 0346E1BD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.211860335.0000000003460000.00000040.00000001.sdmp, Offset: 03460000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: LongWindow
                                                                                      • String ID:
                                                                                      • API String ID: 1378638983-0
                                                                                      • Opcode ID: 951dee2d6e37ee5e552d6628f7daa33a1c5d40c2964ad06be21101db8ddc9c8d
                                                                                      • Instruction ID: c3a61b2691f8b21113b837bad76daf14d0603d8282ade373f672e9a2944fa934
                                                                                      • Opcode Fuzzy Hash: 951dee2d6e37ee5e552d6628f7daa33a1c5d40c2964ad06be21101db8ddc9c8d
                                                                                      • Instruction Fuzzy Hash: 171106B59006089FDB10CF99D588BDFFBF8EB48324F14841AE955A7340C374A944CFA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0346BC40, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0346BCA6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.211860335.0000000003460000.00000040.00000001.sdmp, Offset: 03460000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: HandleModule
                                                                                      • String ID:
                                                                                      • API String ID: 4139908857-0
                                                                                      • Opcode ID: 3763c6fa3d0ce915a6d00480b9317aa19414450c47fc7c375576b74e39928bd0
                                                                                      • Instruction ID: 9e13f674155606b013736d3f02bf280a4191ebc27bddeb3d38aee78e0c8d6076
                                                                                      • Opcode Fuzzy Hash: 3763c6fa3d0ce915a6d00480b9317aa19414450c47fc7c375576b74e39928bd0
                                                                                      • Instruction Fuzzy Hash: E6110FB1D006498FDB10CF9AC444ADEFBF4EB88324F14842ED869A7600C779A645CFA2
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 07FC02C0, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • PostMessageW.USER32(?,?,?,?), ref: 07FC031D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.216760490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: MessagePost
                                                                                      • String ID:
                                                                                      • API String ID: 410705778-0
                                                                                      • Opcode ID: c8f32ee51985be0859a99bfa85037e620e9be6041a054edac82df6f374176f01
                                                                                      • Instruction ID: ed3a64c8e34abd47640e2c4bc1add03f758f6524cef30bbf2e7a50a69a19651e
                                                                                      • Opcode Fuzzy Hash: c8f32ee51985be0859a99bfa85037e620e9be6041a054edac82df6f374176f01
                                                                                      • Instruction Fuzzy Hash: A21112B5800309DFDB10CF9AC988BDEBBF8FB48324F14841AE559A7200C379A944CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0346E159, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 0346E1BD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.211860335.0000000003460000.00000040.00000001.sdmp, Offset: 03460000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: LongWindow
                                                                                      • String ID:
                                                                                      • API String ID: 1378638983-0
                                                                                      • Opcode ID: 4720cda280a446d894084771525f6d89f9a413f5a7eaa4f2001c1818f30751a5
                                                                                      • Instruction ID: 45e0b1186fead94a17c905e05cd8455ec480051a5d592f70d7d8145397a01d30
                                                                                      • Opcode Fuzzy Hash: 4720cda280a446d894084771525f6d89f9a413f5a7eaa4f2001c1818f30751a5
                                                                                      • Instruction Fuzzy Hash: C01115B99002088FDB10CF99D589BDEFBF4EB48324F14851AD959B7740C374A944CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 07FC02B9, Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • PostMessageW.USER32(?,?,?,?), ref: 07FC031D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.216760490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: MessagePost
                                                                                      • String ID:
                                                                                      • API String ID: 410705778-0
                                                                                      • Opcode ID: af618f18190b7b79a978a091f62e74c28778fc89122060d70a55309ffd8b404d
                                                                                      • Instruction ID: 010a04e58184227f771b02febe586e41e02a2241be5e8543f8b5c36cd70d3c85
                                                                                      • Opcode Fuzzy Hash: af618f18190b7b79a978a091f62e74c28778fc89122060d70a55309ffd8b404d
                                                                                      • Instruction Fuzzy Hash: 2A1100B5900209CFDB10CF99D988BDEBBF4FB48324F14881AE559A7200C379A984CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 018BD4D8, Relevance: .1, Instructions: 75COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.211668156.00000000018BD000.00000040.00000001.sdmp, Offset: 018BD000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d0914d98ca39966250a33cd43528cbe4325e7140d75968bef54246e96501b6a3
                                                                                      • Instruction ID: 8b0134551172ebc99cb01bb0215228e5c16a5196b7130e7658d0309ce9aec762
                                                                                      • Opcode Fuzzy Hash: d0914d98ca39966250a33cd43528cbe4325e7140d75968bef54246e96501b6a3
                                                                                      • Instruction Fuzzy Hash: 42212871504244EFDB05CF94D9C0B96BF65FB8832CF248669F9058B316C33AD945C7A2
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 018CD01C, Relevance: .1, Instructions: 72COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.211684249.00000000018CD000.00000040.00000001.sdmp, Offset: 018CD000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 386d345d5288f65729f180f12a250b3cb7d0f69a3f49ba03a28031471565eee2
                                                                                      • Instruction ID: 83e8e83cedc546debb45d6e02408eca529291f2bc3ce8febb147db666ca1fee0
                                                                                      • Opcode Fuzzy Hash: 386d345d5288f65729f180f12a250b3cb7d0f69a3f49ba03a28031471565eee2
                                                                                      • Instruction Fuzzy Hash: F1210371504244DFCB11EF98D4C4B16BB65FB84758F20CA7DE80A8B246C33AD947CAA2
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 018CD1D4, Relevance: .1, Instructions: 72COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.211684249.00000000018CD000.00000040.00000001.sdmp, Offset: 018CD000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5a66079772fd1acefbe71502141393b5cc356bd9a4c57fe22dde580c02e1d466
                                                                                      • Instruction ID: ccc265ea0091b18abd8861ed73a1e9062800fcced77dc1fd1838fc6abac88135
                                                                                      • Opcode Fuzzy Hash: 5a66079772fd1acefbe71502141393b5cc356bd9a4c57fe22dde580c02e1d466
                                                                                      • Instruction Fuzzy Hash: 86213A71504204DFDB01EF94D9C0B16BB66FB84728F20C67DE8098B342C336E946CAA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 018BD4D3, Relevance: .1, Instructions: 56COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.211668156.00000000018BD000.00000040.00000001.sdmp, Offset: 018BD000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0d8a9d817077d39d9fad6da2ff2e5526acd16db30dd6086573c8171f784580f2
                                                                                      • Instruction ID: 670358aa7e86a0b85b03850e56c7b0afdadf21139d9eff315305e7f2f07e168f
                                                                                      • Opcode Fuzzy Hash: 0d8a9d817077d39d9fad6da2ff2e5526acd16db30dd6086573c8171f784580f2
                                                                                      • Instruction Fuzzy Hash: 9F11E172404280DFCB02CF44D5C4B56BF71FB84328F2482A9E8054B316C33AD55ACBA2
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 018CD1CF, Relevance: .1, Instructions: 53COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.211684249.00000000018CD000.00000040.00000001.sdmp, Offset: 018CD000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 17adf84bf3d986228e54cd171d4c143f67dded3a97ef0c4bc82ee09b3a791334
                                                                                      • Instruction ID: 3d7b8cfc73fd9a1a2e4e8d3ba6a04fdff6b9f3c88bbd749defe4ded8b2531364
                                                                                      • Opcode Fuzzy Hash: 17adf84bf3d986228e54cd171d4c143f67dded3a97ef0c4bc82ee09b3a791334
                                                                                      • Instruction Fuzzy Hash: 7D11BE75504280DFCB02DF54C5C4B15BF72FB84724F24C6AED8498B656C33AE54ACB91
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 018CD017, Relevance: .1, Instructions: 53COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.211684249.00000000018CD000.00000040.00000001.sdmp, Offset: 018CD000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 17adf84bf3d986228e54cd171d4c143f67dded3a97ef0c4bc82ee09b3a791334
                                                                                      • Instruction ID: 77fcf78cd045a1e9ae94c27392bbf89db2335b909d0072a1af78563c15143117
                                                                                      • Opcode Fuzzy Hash: 17adf84bf3d986228e54cd171d4c143f67dded3a97ef0c4bc82ee09b3a791334
                                                                                      • Instruction Fuzzy Hash: EB11EB75404280DFCB02CF18D5C4B16BFA1FB84324F28C6AED8498B656C33AD54ACBA2
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 018BD669, Relevance: .0, Instructions: 45COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.211668156.00000000018BD000.00000040.00000001.sdmp, Offset: 018BD000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5476481de96ea634ac1ec0d0e062de63bb46c53723518066bf0b0da634d94006
                                                                                      • Instruction ID: 1b6dc2eeb281a1d068354ae7e22a73cbfa4d51cf1bae55ae212742f57248c76d
                                                                                      • Opcode Fuzzy Hash: 5476481de96ea634ac1ec0d0e062de63bb46c53723518066bf0b0da634d94006
                                                                                      • Instruction Fuzzy Hash: B901F771409344BAE7104A59CCC4BA7BB98EF4632CF08861AEE099A343D77A9944C6F2
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 018BD668, Relevance: .0, Instructions: 36COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.211668156.00000000018BD000.00000040.00000001.sdmp, Offset: 018BD000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5044f9bc1ad7d71472aa25710a113b5807ee76a50aeb4a1ea1d1fd9ba3eca390
                                                                                      • Instruction ID: 1eb4fe2bac5fa5c96cb5cddfd63a75feff5ee5f139fb0e9ff245ef100b6ce389
                                                                                      • Opcode Fuzzy Hash: 5044f9bc1ad7d71472aa25710a113b5807ee76a50aeb4a1ea1d1fd9ba3eca390
                                                                                      • Instruction Fuzzy Hash: F7F0C871408344AAE7108A19DCC4BA2FF98EB41338F18C55AED094B382C3795844CAB1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Non-executed Functions

                                                                                      Function 09442C88, Relevance: 2.7, Strings: 2, Instructions: 172COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: V'>x$V'>x
                                                                                      • API String ID: 0-4091641106
                                                                                      • Opcode ID: 869b165db73db061b6ce9402d7c7442b9cc584ec22d632ccca6c5cbd7edeb1d7
                                                                                      • Instruction ID: 5afa3bc794c062c1381cbab610b0e83904ddab45a73c12243be010fe834cc104
                                                                                      • Opcode Fuzzy Hash: 869b165db73db061b6ce9402d7c7442b9cc584ec22d632ccca6c5cbd7edeb1d7
                                                                                      • Instruction Fuzzy Hash: B971EE74A14219CFDB04CFA9C58499EFBF1FF88350F24856AE419AB320D374AA42CF90
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 09443AE0, Relevance: 2.7, Strings: 2, Instructions: 151COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: h92$h92
                                                                                      • API String ID: 0-2828096622
                                                                                      • Opcode ID: 6e25a56bc94f8a06bf901776d5f8ac40416c81f7bf8cfcbcf44598bbab29c675
                                                                                      • Instruction ID: 5dc31608ca5916b654915f616a186ba6c80c74400aeeab819ccf36e26e2a6c2b
                                                                                      • Opcode Fuzzy Hash: 6e25a56bc94f8a06bf901776d5f8ac40416c81f7bf8cfcbcf44598bbab29c675
                                                                                      • Instruction Fuzzy Hash: C55148B5E0025A9BDB04CFAACA816EEFBB2FF45350F148567E415A7205D7349A428F90
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 09444309, Relevance: 2.6, Strings: 2, Instructions: 124COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: ~rXp$^J0
                                                                                      • API String ID: 0-3149383297
                                                                                      • Opcode ID: 6ec207d0ba013d88d70c6d7a808151ee13fcd03c23ec7214240444a50a724904
                                                                                      • Instruction ID: 004cf9160a232117d4648043226736be8f4d37978f5d00d356b25b692676f496
                                                                                      • Opcode Fuzzy Hash: 6ec207d0ba013d88d70c6d7a808151ee13fcd03c23ec7214240444a50a724904
                                                                                      • Instruction Fuzzy Hash: 9B512B74E0520A9FDB48CFA9C5816AEFBF2BF88750F24D16AC415F7224D3349A428F95
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 09444318, Relevance: 2.6, Strings: 2, Instructions: 120COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: ~rXp$^J0
                                                                                      • API String ID: 0-3149383297
                                                                                      • Opcode ID: 44639b4e47891930ded9a523c23e24560cdec33df82ef64cd283340475b3fe62
                                                                                      • Instruction ID: fb1043f61a19097b93ca074f0b04dffaa0bfc4d99206be15e7f90c8be92d0715
                                                                                      • Opcode Fuzzy Hash: 44639b4e47891930ded9a523c23e24560cdec33df82ef64cd283340475b3fe62
                                                                                      • Instruction Fuzzy Hash: BC510874E0520ADFDB48CFA9C5816AEFBF2BF88750F24D16AC505B7224D7349A428F94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 094440A0, Relevance: 1.4, Strings: 1, Instructions: 167COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: U
                                                                                      • API String ID: 0-957457915
                                                                                      • Opcode ID: 573cd50c5a4c1ab70324e089f447457be23784c7446c1b617aa54b8956bcb20f
                                                                                      • Instruction ID: 26d38dea3b926be247252b4bb324c7c47ebea0fcdbdf408e76d6da2e992d743c
                                                                                      • Opcode Fuzzy Hash: 573cd50c5a4c1ab70324e089f447457be23784c7446c1b617aa54b8956bcb20f
                                                                                      • Instruction Fuzzy Hash: 2371F374E15209CFDB08CFAAD9805EEFBF2FB88350F24952AD405B7224D3759A428F64
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 09444091, Relevance: 1.4, Strings: 1, Instructions: 165COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: U
                                                                                      • API String ID: 0-957457915
                                                                                      • Opcode ID: 471a52c32e2317b2c190235e298d758a507ac3ad9905bc4367c274ce4ba71373
                                                                                      • Instruction ID: a2df0fa52be7cd98e77a69372d7677905cc5406d83aedb4c1e7851740e540e3a
                                                                                      • Opcode Fuzzy Hash: 471a52c32e2317b2c190235e298d758a507ac3ad9905bc4367c274ce4ba71373
                                                                                      • Instruction Fuzzy Hash: 7661E274E05609CFDB04CFAAC9815EEFBF2FB89350F24952AD405B7224D3359A428F64
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 094480B0, Relevance: 1.4, Strings: 1, Instructions: 120COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: G@T
                                                                                      • API String ID: 0-3408965904
                                                                                      • Opcode ID: c7a6d9b672171a72f4a7a04ac9488b0db6bc2d265a6351a537b3436e8d480a97
                                                                                      • Instruction ID: c5dff28b6ff4ecf1efcbcfc5057743999888198d7196daf2f08d8714d1c9225e
                                                                                      • Opcode Fuzzy Hash: c7a6d9b672171a72f4a7a04ac9488b0db6bc2d265a6351a537b3436e8d480a97
                                                                                      • Instruction Fuzzy Hash: 9F414974E116189FDB58CFAAD981A9EFBF6BF88310F10D4AAD409A7314EB304A458F51
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 094480AA, Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: G@T
                                                                                      • API String ID: 0-3408965904
                                                                                      • Opcode ID: 1e58c3884d58436491b4e1f1547564bb883cc1164cc8dbbaca758c0025d9d612
                                                                                      • Instruction ID: bae375a7592bf8fc307a58ed749d2d89dbb21d8a3353d3b73d6a4c642a4b715a
                                                                                      • Opcode Fuzzy Hash: 1e58c3884d58436491b4e1f1547564bb883cc1164cc8dbbaca758c0025d9d612
                                                                                      • Instruction Fuzzy Hash: FF415A74E116199FDB58CFAADA81A9EFBF7BF88310F10D46BD409A7314EB304A458B50
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 07FC25B0, Relevance: .4, Instructions: 424COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.216760490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7ceefc35fb7344923b8b20ce3eb60a30138e3d728c1d1fab46a11f2750ea5be7
                                                                                      • Instruction ID: b5a65d7e1f9ed75770f0f2c01a92e48f1a4af8776c07549ca1aaa68bc7f29e97
                                                                                      • Opcode Fuzzy Hash: 7ceefc35fb7344923b8b20ce3eb60a30138e3d728c1d1fab46a11f2750ea5be7
                                                                                      • Instruction Fuzzy Hash: 36F189B0A013068FDB29DFB6C650BAEB7F6FF89600F18446ED1469B290DB35D901CB61
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0346A758, Relevance: .3, Instructions: 265COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.211860335.0000000003460000.00000040.00000001.sdmp, Offset: 03460000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 218c751f4993f3de1a97e0a19053fc64a4e60105de8729af9d844ecb8d563962
                                                                                      • Instruction ID: 98c26770ec4c1591764066da6813979d921f760faae02e5b287edf980eaa2c14
                                                                                      • Opcode Fuzzy Hash: 218c751f4993f3de1a97e0a19053fc64a4e60105de8729af9d844ecb8d563962
                                                                                      • Instruction Fuzzy Hash: CAA17B76E007198FCF05DFA6D84459EBBB2FF85300B15816BE905BF221EB35A946CB81
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0944E680, Relevance: .2, Instructions: 234COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2b2b860d79d43a85520aeadadddbc735dbccc25e97197abf9728209b0445e52e
                                                                                      • Instruction ID: ed9ff9ac662acc676befb820848611ad1a8fe73d28a5dde9cd5c58dc1030befd
                                                                                      • Opcode Fuzzy Hash: 2b2b860d79d43a85520aeadadddbc735dbccc25e97197abf9728209b0445e52e
                                                                                      • Instruction Fuzzy Hash: EAA12974E15209CFEB04CFEAD4519AEFBB2FF89340F60942AD415AB354E7359A028F94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0346C3A0, Relevance: .2, Instructions: 217COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.211860335.0000000003460000.00000040.00000001.sdmp, Offset: 03460000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 738e8ddd60c27a0726642b77bf203b6da5c41458b3a1c4367287acdacb90a5b4
                                                                                      • Instruction ID: 50db78e2776e9beff12b212601191de320b6110de6edefa3ecc806adddf4df6d
                                                                                      • Opcode Fuzzy Hash: 738e8ddd60c27a0726642b77bf203b6da5c41458b3a1c4367287acdacb90a5b4
                                                                                      • Instruction Fuzzy Hash: 95C12FB18117458BE712EF65E8881897BF1FBA6328F70438AD1613F6D8D7B8144ACF48
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 09444FC1, Relevance: .2, Instructions: 183COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 268b33b7e24219afd09c73707494d980e0f6ec3cae39b8940e3865b7e271e065
                                                                                      • Instruction ID: 91543ff3d238acc2de1519788483e02c25f9314c1bf9b45a7a21d7a51bb55cce
                                                                                      • Opcode Fuzzy Hash: 268b33b7e24219afd09c73707494d980e0f6ec3cae39b8940e3865b7e271e065
                                                                                      • Instruction Fuzzy Hash: 4D611275D046588FD72CCF679946299BBF3FFC5302F14C1BB994AA6524DB3009828F82
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0944BD70, Relevance: .2, Instructions: 181COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: deb1cab487e3257e2c516a5c5cc4c0177fb5f235be10f58caea5a2d5123ea3e7
                                                                                      • Instruction ID: c7de04bac7bc25298402812fcb83b91f65a06aa133111e7183fecc0176786e79
                                                                                      • Opcode Fuzzy Hash: deb1cab487e3257e2c516a5c5cc4c0177fb5f235be10f58caea5a2d5123ea3e7
                                                                                      • Instruction Fuzzy Hash: D4810A74E11219CFEB54CFA9C980AAEFBB2FF89304F2481AAD549A7315D7309941CF61
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0944BD5F, Relevance: .2, Instructions: 176COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 70f20f5352aadf53ebc4e914ff897fb7d4133f4e3f89406f720cd0bd7206f52c
                                                                                      • Instruction ID: d302b64b91bcd2527f8dce7bb3a7af29f4a8f9f72ef55c75b7cd1bc6334be04f
                                                                                      • Opcode Fuzzy Hash: 70f20f5352aadf53ebc4e914ff897fb7d4133f4e3f89406f720cd0bd7206f52c
                                                                                      • Instruction Fuzzy Hash: C4813B74E112198FEB54CFA9C980AAEFBB2FF89304F2481AAD549A7315D7309D41CF61
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 09442C78, Relevance: .2, Instructions: 169COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8e72b945c03693f2089fa14c346cb73f7e680d20dd7def8957dcab97ba68a3e7
                                                                                      • Instruction ID: 53d19592e9227dafca54cab7cc88d2b8c716a503c4242219dd23b0c249da5a6f
                                                                                      • Opcode Fuzzy Hash: 8e72b945c03693f2089fa14c346cb73f7e680d20dd7def8957dcab97ba68a3e7
                                                                                      • Instruction Fuzzy Hash: 7371DD74A15219CFDB44CFA9C58499EFBF1FF88350F2485AAE419AB324C374AA46CF50
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 094409F0, Relevance: .2, Instructions: 165COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: aab98139173a243065455e53a5a7bb645e8193769515c1db539179415e97cf08
                                                                                      • Instruction ID: f357143b751dbe22a07ec3fda7e54d8641a83a81069520543ecc70acb5e29d7f
                                                                                      • Opcode Fuzzy Hash: aab98139173a243065455e53a5a7bb645e8193769515c1db539179415e97cf08
                                                                                      • Instruction Fuzzy Hash: 6D6114B4E1120ADFDB04CF99D4819AEFBB2FB88350F14852AE605B7310D774AA42CF94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 094409E0, Relevance: .2, Instructions: 164COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c8aba71227b962a13214817ce7d7d4978a5ecc258138259b07f1abb1cab06098
                                                                                      • Instruction ID: 4a512a18059867ba214ec91858ed32b1f48e225a5d219375dcde118cb703d149
                                                                                      • Opcode Fuzzy Hash: c8aba71227b962a13214817ce7d7d4978a5ecc258138259b07f1abb1cab06098
                                                                                      • Instruction Fuzzy Hash: EA6114B4E1120ADFDB04CF99D4809AEFBB2FB88310F14866AE615B7310D7349A52CF94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 094437E8, Relevance: .2, Instructions: 162COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 92b48544a9b860d95e7312d09c0da554fdc6dcbb92ca3fee44b65615bca97d0c
                                                                                      • Instruction ID: 8582a821d23c214e85c8220f921cda6442850f823f146f5a280a8f38df0e2c46
                                                                                      • Opcode Fuzzy Hash: 92b48544a9b860d95e7312d09c0da554fdc6dcbb92ca3fee44b65615bca97d0c
                                                                                      • Instruction Fuzzy Hash: B571F0B4E0124ADBDB04CF99C6809AEFBF2FF88350F14951AD815AB314D735A942CFA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 094437D8, Relevance: .2, Instructions: 157COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1ade091e11eceb71a230b469017f2056b07a1bc46a2c68e9cdc2e5c80e1c0f7f
                                                                                      • Instruction ID: 80469f631b8e4e9d571c985af5e0d4db5b0bdef18e5b4b5f312580bd9c689328
                                                                                      • Opcode Fuzzy Hash: 1ade091e11eceb71a230b469017f2056b07a1bc46a2c68e9cdc2e5c80e1c0f7f
                                                                                      • Instruction Fuzzy Hash: 1F610274E0524A9FDB44CF99C6809AEFBF2FF88350F149556D815AB314D7309982CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 09449BC0, Relevance: .1, Instructions: 124COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: faac282a2072e6643f80e9d5e17fafe468a067530f91503211fc278c4fabcc2c
                                                                                      • Instruction ID: 25cee0d1082ac9febad3e8bc0c9c2f9d572a1a0fbba0ccdb7cd8dffd72535be9
                                                                                      • Opcode Fuzzy Hash: faac282a2072e6643f80e9d5e17fafe468a067530f91503211fc278c4fabcc2c
                                                                                      • Instruction Fuzzy Hash: A4513C74E045198BDB18CF9AC9806AEFBF3FB88305F14C16AD919A7305D7309942DF61
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0944C9D0, Relevance: .1, Instructions: 120COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4f4a072038e35f75107b61804095dc8ce1fee60cd78b51ff5a6f7d5a0c4d3010
                                                                                      • Instruction ID: f2bfa2627015897fbd49a41d36ecca4eea092391b8e96ad49b908979bdb811f2
                                                                                      • Opcode Fuzzy Hash: 4f4a072038e35f75107b61804095dc8ce1fee60cd78b51ff5a6f7d5a0c4d3010
                                                                                      • Instruction Fuzzy Hash: CE515C74E151199BDB04CFAAC9806AEFBF3FB88305F28D16AD448A7215D7309A42CF60
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 09449BB0, Relevance: .1, Instructions: 120COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 65b2cfbacfdde5368f138f92c091b71407efb2671ae288dcf161fb96a353cf0f
                                                                                      • Instruction ID: bcd89c6de2cea3835fd2e79be81c4133b8235f79074ebc89699e6e22da5ad795
                                                                                      • Opcode Fuzzy Hash: 65b2cfbacfdde5368f138f92c091b71407efb2671ae288dcf161fb96a353cf0f
                                                                                      • Instruction Fuzzy Hash: D9516D74E045198BDB14CFAAC9806AEFBF3BB89305F14C1AAD948A7345D7309942CF61
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 09442A90, Relevance: .1, Instructions: 113COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: aa1146a2acc802fa969b456ca4399d0b741321319fe917333720d3f1d95f5912
                                                                                      • Instruction ID: 4f0843005e4c36a5ecd60873bbc11ce973a8284393f7b763b9535dfa86a66b24
                                                                                      • Opcode Fuzzy Hash: aa1146a2acc802fa969b456ca4399d0b741321319fe917333720d3f1d95f5912
                                                                                      • Instruction Fuzzy Hash: 4F418F70E0510AEFEB44CFAAC5415AEFBB2FF84200F14C69AD519A7215D7749A82CF91
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 09443E70, Relevance: .1, Instructions: 107COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c3a22a3aab47a35fc9404f02baf036b713b4cd6d93e2964ba083ef2dfc882dcf
                                                                                      • Instruction ID: 8544c2cd41588cc847e846252c82ff61bfaaef26edbfd61bde68c974a712c618
                                                                                      • Opcode Fuzzy Hash: c3a22a3aab47a35fc9404f02baf036b713b4cd6d93e2964ba083ef2dfc882dcf
                                                                                      • Instruction Fuzzy Hash: 46414770E0520A9FDB08CFAAC5804EEFBB2FF89350F24C16AD415A7254D7349A46CFA0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 09443E80, Relevance: .1, Instructions: 107COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 113d2c866fda60a0129ffb106690bce821183828c254ca8e6f3e85bda3871ded
                                                                                      • Instruction ID: 3442518aa82af367a982ec655ed9561a4e16e4566494b44e3b0bb51491306468
                                                                                      • Opcode Fuzzy Hash: 113d2c866fda60a0129ffb106690bce821183828c254ca8e6f3e85bda3871ded
                                                                                      • Instruction Fuzzy Hash: 7D41F870E0520ADBDB48CFAAC5805AEFBF2BB89340F24C52AD515A7214D7349A42CF94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 09445060, Relevance: .1, Instructions: 106COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ab04d0e0c51c9b2f29c913ec485ba0f3fec3f82dba73f59077e1a0d0ca09accf
                                                                                      • Instruction ID: 8bec161e4ed9ff0506af6e73a3d0853a5a8690db14390e9a48e643c18b345f33
                                                                                      • Opcode Fuzzy Hash: ab04d0e0c51c9b2f29c913ec485ba0f3fec3f82dba73f59077e1a0d0ca09accf
                                                                                      • Instruction Fuzzy Hash: 3D414C75E11A188BEB68CF6B9D4579EFBF3BFC9300F14C1BA950DA6214DB340A468E11
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 09447A90, Relevance: .1, Instructions: 60COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 30215ad18520941cdd1561ff94af407e605bfa5e004c6d6f162ed29ef2f9ccf6
                                                                                      • Instruction ID: dfaa9ea0a086b4504aa3117dd9eb03c2ba4fc512543c12eebc02b28f4c514642
                                                                                      • Opcode Fuzzy Hash: 30215ad18520941cdd1561ff94af407e605bfa5e004c6d6f162ed29ef2f9ccf6
                                                                                      • Instruction Fuzzy Hash: 96110671E116189BEB08CFAAE9406EEFBF7ABC8210F14C02AD508B6314DB314A468B51
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 09444530, Relevance: .1, Instructions: 59COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1b2b3c599f4147e288b3f19ed176da7715466d0e30cf500baf7f487462fef74a
                                                                                      • Instruction ID: a42349136a11d7458cb2cdf59021c97716e08988dceaa45ec8ab30d81010b712
                                                                                      • Opcode Fuzzy Hash: 1b2b3c599f4147e288b3f19ed176da7715466d0e30cf500baf7f487462fef74a
                                                                                      • Instruction Fuzzy Hash: 0A11BF75E056189BEB1CCFABD8406DEFAF7AFC8200F04C176D918A6268EB3415568F51
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 09447A80, Relevance: .1, Instructions: 58COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2fd7595320ad96e2b1e18675c50aad66dfbdda96ce261d8673eed7e9c216290a
                                                                                      • Instruction ID: c8f38b7074d83bc5228e2cc883412ef959846f37b82788b45d42f75b434c3f55
                                                                                      • Opcode Fuzzy Hash: 2fd7595320ad96e2b1e18675c50aad66dfbdda96ce261d8673eed7e9c216290a
                                                                                      • Instruction Fuzzy Hash: CF113D71E116189FEB08CFAAD9416EEBBF7AFC9210F18C46AD408B7354DB304A458F51
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 09444520, Relevance: .1, Instructions: 54COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.217067294.0000000009440000.00000040.00000001.sdmp, Offset: 09440000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ff14a9eccb10251afb44e28b61ea70fcbf9f2449590937504863ca75ee2989f6
                                                                                      • Instruction ID: 1cec8b2ef01cc9a42890300c183f1cdf48b01e44bd643a840bcc4479ab4e3e5d
                                                                                      • Opcode Fuzzy Hash: ff14a9eccb10251afb44e28b61ea70fcbf9f2449590937504863ca75ee2989f6
                                                                                      • Instruction Fuzzy Hash: D121FEB5E046588BEB1CCF6BD84469EFAF3AFC8300F08C57AD91866268DB3405468F51
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Analysis Process: VJNPltkyHyI3CCo.exe PID: 748 Parent PID: 1156 VJNPltkyHyI3CCo.exeCOMMON

                                                                                      Executed Functions

                                                                                      Function 01066DD8, Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1113COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.466171454.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: j
                                                                                      • API String ID: 0-2137352139
                                                                                      • Opcode ID: 9e92865246feb715b2cbfa6d50ac262be8144df73d79b43df8065595afe8d057
                                                                                      • Instruction ID: 894d04ec03a09ceed41a7c29edcc7c191d1d25ed52c62cf7a8bcd9e29c4a65a5
                                                                                      • Opcode Fuzzy Hash: 9e92865246feb715b2cbfa6d50ac262be8144df73d79b43df8065595afe8d057
                                                                                      • Instruction Fuzzy Hash: 6292DC30B043058FDB159BB8C8546AEBBF6AF85308F1484B9D446EB396EB35DC45CB51
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0104E560, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 550COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.466077216.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: j
                                                                                      • API String ID: 0-2137352139
                                                                                      • Opcode ID: 65241c164f0230dd57024b7c8d9a6ecde694d73a72788910a79934ab8f0d0689
                                                                                      • Instruction ID: 19536b82b3ec23dddfeb66712b070d98aaacce3d3a9bc5e68eaf6f83434243b7
                                                                                      • Opcode Fuzzy Hash: 65241c164f0230dd57024b7c8d9a6ecde694d73a72788910a79934ab8f0d0689
                                                                                      • Instruction Fuzzy Hash: 3E22B070B042458FDB14DBB8C8946AEBBF2BF85304F1484BAD4569B392DB39DC46CB51
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 013C012C, Relevance: 3.2, Instructions: 3192COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468855641.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f19131dc437d1fb16ca9683abf2062283531bd697e334f8a875e9eb997b70a22
                                                                                      • Instruction ID: 188eb212de900c0779674efcf44a8509b8f5ca56339d3a9878e5dae8b20bbeee
                                                                                      • Opcode Fuzzy Hash: f19131dc437d1fb16ca9683abf2062283531bd697e334f8a875e9eb997b70a22
                                                                                      • Instruction Fuzzy Hash: A3631C30D1065ACECB51DF68C884699F7B1FF99314F15C69AE558BB221EB30AAC4CF41
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 010620A8, Relevance: 2.7, APIs: 1, Instructions: 1200COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.466171454.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5c23f19570a7c257397dcc75823fa02ad3c3da56e40bfe5981460a3f7d6a87f7
                                                                                      • Instruction ID: 6ded2e1ae11418545405d79329755180758db1ca7e63c8a44a3d5f772d5029c5
                                                                                      • Opcode Fuzzy Hash: 5c23f19570a7c257397dcc75823fa02ad3c3da56e40bfe5981460a3f7d6a87f7
                                                                                      • Instruction Fuzzy Hash: 01A26F30E002198BDB65DF78C8547ADB7F5AF89304F1089AAE54AEB355EF30DD858B81
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 013C5E48, Relevance: .8, Instructions: 763COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468855641.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 35ed7c51a750c9190bc57cd8662f19fea1e56ee5e6781da3185f28fa74cefff1
                                                                                      • Instruction ID: 000d03f259b50993466cc265867cac52c944eb8c0684a218ddbe2c5d270d1829
                                                                                      • Opcode Fuzzy Hash: 35ed7c51a750c9190bc57cd8662f19fea1e56ee5e6781da3185f28fa74cefff1
                                                                                      • Instruction Fuzzy Hash: A8520470B002058FDB19DBB8C8947AEBBF6AF89618F15846DD505EB392DB34EC05CB91
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 013CBBE8, Relevance: .7, Instructions: 666COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468855641.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7443b1d579d92e57a8f598eb05fc6568c33710009beb8b614b028676cb9274b0
                                                                                      • Instruction ID: 4f20c28d5f5edd3871efcb842b1f48125181cb378d84da64d55662ee2bc9d845
                                                                                      • Opcode Fuzzy Hash: 7443b1d579d92e57a8f598eb05fc6568c33710009beb8b614b028676cb9274b0
                                                                                      • Instruction Fuzzy Hash: 2442A430E042488FEB25DB78C8947ADBBB2AF85708F14C46ED519AF286CB74DC45CB52
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 013CFB60, Relevance: .6, Instructions: 643COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468855641.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 543819a16164391139de72740145205576b6ccd17a0aa1650d0c6d021c171aa0
                                                                                      • Instruction ID: 6de7ba4278a771de4483e1ca97b9e6de1d5f129204296136b999ed827f1dd28b
                                                                                      • Opcode Fuzzy Hash: 543819a16164391139de72740145205576b6ccd17a0aa1650d0c6d021c171aa0
                                                                                      • Instruction Fuzzy Hash: 45F15170E002099BEF14DBACC894BADBBB7AF49B18F548429E515EF285CB71DC81CB51
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 013CBC29, Relevance: .6, Instructions: 592COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468855641.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5aa8d426a5ed07ae78ce951db31aa87888c1fab0acc548374c6436ee763b5b3b
                                                                                      • Instruction ID: 2dd7a2fd6bfbb29ad467a303354ba8fc3a2c4048fc1d7c6060227afbb97c5655
                                                                                      • Opcode Fuzzy Hash: 5aa8d426a5ed07ae78ce951db31aa87888c1fab0acc548374c6436ee763b5b3b
                                                                                      • Instruction Fuzzy Hash: A5328270E002488FEB25DBACC4947ADBBB2AF85708F14C56DD519AF286CB74DC85CB52
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 014A691F, Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentProcess.KERNEL32 ref: 014A69A0
                                                                                      • GetCurrentThread.KERNEL32 ref: 014A69DD
                                                                                      • GetCurrentProcess.KERNEL32 ref: 014A6A1A
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 014A6A73
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468951730.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: Current$ProcessThread
                                                                                      • String ID:
                                                                                      • API String ID: 2063062207-0
                                                                                      • Opcode ID: 00160e1f5c67acc56fc4cecb61c2bd8e5a160f50d96797fefdc9c8420caf1b48
                                                                                      • Instruction ID: dc40a0e9e6cd8ec8fecdbcc888b4de9b7e3a8bf00a712ac6204afa9c840fed14
                                                                                      • Opcode Fuzzy Hash: 00160e1f5c67acc56fc4cecb61c2bd8e5a160f50d96797fefdc9c8420caf1b48
                                                                                      • Instruction Fuzzy Hash: 2F5187B0A006488FDB14CFAAC548BEEBFF0EF59314F25859AE159A73A0C7345885CF61
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 014A6930, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentProcess.KERNEL32 ref: 014A69A0
                                                                                      • GetCurrentThread.KERNEL32 ref: 014A69DD
                                                                                      • GetCurrentProcess.KERNEL32 ref: 014A6A1A
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 014A6A73
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468951730.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: Current$ProcessThread
                                                                                      • String ID:
                                                                                      • API String ID: 2063062207-0
                                                                                      • Opcode ID: ee56359ef7e9262509da445a7e23e77a0bed3c80c577b91923467e2bb14a1f47
                                                                                      • Instruction ID: 3bbdd6f08fa1c849b294d9e2750ec4e0d4de0ba5407f4bda57817a6a5b928942
                                                                                      • Opcode Fuzzy Hash: ee56359ef7e9262509da445a7e23e77a0bed3c80c577b91923467e2bb14a1f47
                                                                                      • Instruction Fuzzy Hash: FD5177B0E002488FDB14CFAAC5487DEBBF0EF59314F25855AE159A73A0C7345884CF61
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 014A6940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentProcess.KERNEL32 ref: 014A69A0
                                                                                      • GetCurrentThread.KERNEL32 ref: 014A69DD
                                                                                      • GetCurrentProcess.KERNEL32 ref: 014A6A1A
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 014A6A73
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468951730.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: Current$ProcessThread
                                                                                      • String ID:
                                                                                      • API String ID: 2063062207-0
                                                                                      • Opcode ID: fe0fb4f5088b40300ca712f4267c0d1ddf01b32aa7142166ed7b5091509135b7
                                                                                      • Instruction ID: b3468e0a4a4c190b3c24042f52074d5ead300c8bd7858c150756e59f2f0d65b7
                                                                                      • Opcode Fuzzy Hash: fe0fb4f5088b40300ca712f4267c0d1ddf01b32aa7142166ed7b5091509135b7
                                                                                      • Instruction Fuzzy Hash: F05154B0E006488FDB54CFAAC648BDEBBF0EF99314F25845AE519A73A0D7345984CF61
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 013CA408, Relevance: 5.3, Strings: 4, Instructions: 305COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468855641.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: \$\$\$\
                                                                                      • API String ID: 0-3238275731
                                                                                      • Opcode ID: 713fcb342b1211deb4d1870b9aec542e910c872c3972df8b9a09c83eba4847bc
                                                                                      • Instruction ID: 671626fa958793ee0ea0970eeb70a37a0ae0ea130f8a9d1919e98198bdd10d75
                                                                                      • Opcode Fuzzy Hash: 713fcb342b1211deb4d1870b9aec542e910c872c3972df8b9a09c83eba4847bc
                                                                                      • Instruction Fuzzy Hash: D3A1A271B00219CFCB24DBB8C9447BEB6F6EB84A18F24852DD51AEB781EB34DC458791
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0104EAB8, Relevance: 1.6, APIs: 1, Instructions: 138libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.466077216.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: cab89fe65b52d516171887eaf5b9c0c27f27de5f487f22be61d17ff1a8e8846a
                                                                                      • Instruction ID: 68170d9f717cf5046f5e554a3cc889478e06fc1f0c9f3de87b9e2c3fec63c3c4
                                                                                      • Opcode Fuzzy Hash: cab89fe65b52d516171887eaf5b9c0c27f27de5f487f22be61d17ff1a8e8846a
                                                                                      • Instruction Fuzzy Hash: 9A41A171B002059FCB14EBB4D884AEEB7F6BF84204F148979E5129B391DF34D805CBA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0106E7C8, Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.466171454.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 86ae9d07d6d89d6f9a5945f039461e238dae6e2f4f6a08bad9cba4b8588c963d
                                                                                      • Instruction ID: ef972134767be81bb74c97486efc02ebd1160ce30ca8a238af26f125edcc816c
                                                                                      • Opcode Fuzzy Hash: 86ae9d07d6d89d6f9a5945f039461e238dae6e2f4f6a08bad9cba4b8588c963d
                                                                                      • Instruction Fuzzy Hash: 94412571E003598FCB05CFAAC4446EEBBF9EF89324F05856AD548A7241EB789845CBE0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 014A5090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 014A51A2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468951730.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: CreateWindow
                                                                                      • String ID:
                                                                                      • API String ID: 716092398-0
                                                                                      • Opcode ID: 21a2f10f9447307a1c11311f25a53ab7ad3a769a6c3464f67ae5cad53e08920e
                                                                                      • Instruction ID: 1a52ef180c653ceb56ce65f49e6e970ca541a1c7991ba5cb5c22e8f7e78894dd
                                                                                      • Opcode Fuzzy Hash: 21a2f10f9447307a1c11311f25a53ab7ad3a769a6c3464f67ae5cad53e08920e
                                                                                      • Instruction Fuzzy Hash: 6441D0B1D103089FEF15CF99C984ADEBFB5BF58314F65822AE819AB210D774A845CF90
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 014A779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 014A7F01
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468951730.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: CallProcWindow
                                                                                      • String ID:
                                                                                      • API String ID: 2714655100-0
                                                                                      • Opcode ID: 9498029ff8e9bee378d0261b35013e4221d88f37d06ea0cab9e82570508fdc54
                                                                                      • Instruction ID: ba24158c51af57dcae13f3f7e09135413e547da18926bee4d40cd7ce6555fbc7
                                                                                      • Opcode Fuzzy Hash: 9498029ff8e9bee378d0261b35013e4221d88f37d06ea0cab9e82570508fdc54
                                                                                      • Instruction Fuzzy Hash: 30413AB5A00205CFDB14CF99C488AABBBF5FF98314F15C499E519AB321D735A941CFA0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0106445E, Relevance: 1.6, APIs: 1, Instructions: 87registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 01064521
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.466171454.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: QueryValue
                                                                                      • String ID:
                                                                                      • API String ID: 3660427363-0
                                                                                      • Opcode ID: 232e3b53862453df11b27e63ec831966d2b9cf66dc028a10cdf638664cd11fa0
                                                                                      • Instruction ID: 170f7625030cbffb66163739f2100fb57cffb8c3c8dfd74f285e025017249b47
                                                                                      • Opcode Fuzzy Hash: 232e3b53862453df11b27e63ec831966d2b9cf66dc028a10cdf638664cd11fa0
                                                                                      • Instruction Fuzzy Hash: A8310EB1D01228DFDB11CF9AC984ADEBBF5BF48310F55806AE819AB310DB749905CFA0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 01064468, Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 01064521
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.466171454.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: QueryValue
                                                                                      • String ID:
                                                                                      • API String ID: 3660427363-0
                                                                                      • Opcode ID: 0a98023205a41886f03d3e06137e0b29b06325cded0c4f03dbbe1672a25e63a8
                                                                                      • Instruction ID: 582f6d85773eff28e2192575c3751a8a4db34f861ce2f0bfedfc855e8ba6474e
                                                                                      • Opcode Fuzzy Hash: 0a98023205a41886f03d3e06137e0b29b06325cded0c4f03dbbe1672a25e63a8
                                                                                      • Instruction Fuzzy Hash: 6931DEB1D01258DFDB20CF9AD884A8EBBF5BF48714F55806AE859AB310DB749905CF90
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 010641B0, Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegOpenKeyExW.KERNEL32(?,00000000,?,00000001,?), ref: 01064264
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.466171454.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: Open
                                                                                      • String ID:
                                                                                      • API String ID: 71445658-0
                                                                                      • Opcode ID: e2d8ed562ff075a22284e741839347380bb5b72c5dde99be99beecb7deba4404
                                                                                      • Instruction ID: ebe794366768a84c2ac780594b9a521858ba54159a61ce92d8ce83dee7e9f2c8
                                                                                      • Opcode Fuzzy Hash: e2d8ed562ff075a22284e741839347380bb5b72c5dde99be99beecb7deba4404
                                                                                      • Instruction Fuzzy Hash: 4A3101B0D012498FDB00CF99C584A8EFFF5BF48314F69816AE809AB301C775A984CB91
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 010641AF, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegOpenKeyExW.KERNEL32(?,00000000,?,00000001,?), ref: 01064264
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.466171454.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: Open
                                                                                      • String ID:
                                                                                      • API String ID: 71445658-0
                                                                                      • Opcode ID: 98241e0f70d0fbb444040c70b9f1feea421124a8cffd54698c3a8006a105478b
                                                                                      • Instruction ID: f736ac23479aecee59e3ad19d8735732fef71c5a78196d0740f4043b9d4eee0a
                                                                                      • Opcode Fuzzy Hash: 98241e0f70d0fbb444040c70b9f1feea421124a8cffd54698c3a8006a105478b
                                                                                      • Instruction Fuzzy Hash: 14310FB0D01249CFDB00CF99C584A8EFFF5BF48314F69866AE809AB301C7759984CB90
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 014A6B61, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014A6BEF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468951730.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: DuplicateHandle
                                                                                      • String ID:
                                                                                      • API String ID: 3793708945-0
                                                                                      • Opcode ID: 82661c482b0c972c2f139d3f1df958d38762234fec8558b0ee651aedd15b0e44
                                                                                      • Instruction ID: 2719c6dce3225d518d938de956f468e8e7aca2651eb837744a604a95fe943f36
                                                                                      • Opcode Fuzzy Hash: 82661c482b0c972c2f139d3f1df958d38762234fec8558b0ee651aedd15b0e44
                                                                                      • Instruction Fuzzy Hash: 7C2100B5A002489FDB10CFA9D984AEEBBF4EB48324F15842AE914A7320D374A944CF61
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 014A6B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014A6BEF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468951730.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: DuplicateHandle
                                                                                      • String ID:
                                                                                      • API String ID: 3793708945-0
                                                                                      • Opcode ID: 5b87229f1556b7efd3392a0ffce2b94cf9d64e8c4df9d0ee52810ec0d57b55d0
                                                                                      • Instruction ID: 830b58594e2d08cd59dd5651c99d6f7dd5af8c86a4f808c4d8529a23cfcfafef
                                                                                      • Opcode Fuzzy Hash: 5b87229f1556b7efd3392a0ffce2b94cf9d64e8c4df9d0ee52810ec0d57b55d0
                                                                                      • Instruction Fuzzy Hash: E121F3B5D002189FDB10CFAAD984ADEBBF8FB48324F15841AE914A7310D774A944CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0106D33C, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0106E81A), ref: 0106E907
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.466171454.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: GlobalMemoryStatus
                                                                                      • String ID:
                                                                                      • API String ID: 1890195054-0
                                                                                      • Opcode ID: f9adbe58e6d65f94c3cfa61058c1bbc557111690ec200681fee4d9a3ac197aaf
                                                                                      • Instruction ID: e234827f68a0f2903c9a9f1d559f0252d0c011708dfb4c0bfbc9594b87762bf5
                                                                                      • Opcode Fuzzy Hash: f9adbe58e6d65f94c3cfa61058c1bbc557111690ec200681fee4d9a3ac197aaf
                                                                                      • Instruction Fuzzy Hash: 4D1103B1D046199FDB10CF9AC4447DEFBF8AF48224F15856AD918B7240D778A944CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 014AC198, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RtlEncodePointer.NTDLL(00000000), ref: 014AC212
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468951730.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: EncodePointer
                                                                                      • String ID:
                                                                                      • API String ID: 2118026453-0
                                                                                      • Opcode ID: fd5fe8e7927dc07450a34e53ed393c262de46fa71c181d5b35f72b0209e9594a
                                                                                      • Instruction ID: ca17118357a87287488909de711c2506c6213a30ce2ae946ff927d39714f5e7b
                                                                                      • Opcode Fuzzy Hash: fd5fe8e7927dc07450a34e53ed393c262de46fa71c181d5b35f72b0209e9594a
                                                                                      • Instruction Fuzzy Hash: 67119AB1E403098FDB50EFAAC54879EBBF4EB48328F60842BD409A7700C7386544CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0106E898, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0106E81A), ref: 0106E907
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.466171454.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: GlobalMemoryStatus
                                                                                      • String ID:
                                                                                      • API String ID: 1890195054-0
                                                                                      • Opcode ID: 172d2898249bb803d91f46677fa9359d6c005ca99ff4b8ff754f1c9d370439e1
                                                                                      • Instruction ID: 8f76342d54e0af6c484cfcbe80bba820ce3431edcc72060a2464c4f86909a13a
                                                                                      • Opcode Fuzzy Hash: 172d2898249bb803d91f46677fa9359d6c005ca99ff4b8ff754f1c9d370439e1
                                                                                      • Instruction Fuzzy Hash: EC1103B1D00619DFDB10CF9AC444BDEBBF4AF48324F15856AD918A7241D778A944CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 01067A88, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.466171454.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: 64ba26e8044149ac0babe81f0b202973f0834a3e7de68d4c146b4fb48caa359e
                                                                                      • Instruction ID: 1b7aae1fcd525353a1722ff61391b69b8196e93769016d767389c9d5fd45b14f
                                                                                      • Opcode Fuzzy Hash: 64ba26e8044149ac0babe81f0b202973f0834a3e7de68d4c146b4fb48caa359e
                                                                                      • Instruction Fuzzy Hash: EA112B70A11208DFCB14DFA8D494AEEBBB6FF49318F20886CE411AB355CB359885CF51
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 014A3300, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 014A4116
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468951730.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: HandleModule
                                                                                      • String ID:
                                                                                      • API String ID: 4139908857-0
                                                                                      • Opcode ID: 6f13799c7628fbaa75e32cf4bf328a14924098e0391a2c2d78297714599f2768
                                                                                      • Instruction ID: 04e2ebd544036c63bac907ddcee17864475051e49bdbb0a9a777d09c25b0e49f
                                                                                      • Opcode Fuzzy Hash: 6f13799c7628fbaa75e32cf4bf328a14924098e0391a2c2d78297714599f2768
                                                                                      • Instruction Fuzzy Hash: F91120B19002498FDB10CF9AC448BDEFBF4EB99224F09842AD929B7210C3B4A545CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 014A40AA, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 014A4116
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468951730.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID: HandleModule
                                                                                      • String ID:
                                                                                      • API String ID: 4139908857-0
                                                                                      • Opcode ID: ef8264a672829e87e2cf546b6ddafcc3ad5710acc420e97ffae224cd43cd16f4
                                                                                      • Instruction ID: b43c045918a5ca8570a589719ae0f84ca8b71da1c97aceffbdd9b501f3f53d40
                                                                                      • Opcode Fuzzy Hash: ef8264a672829e87e2cf546b6ddafcc3ad5710acc420e97ffae224cd43cd16f4
                                                                                      • Instruction Fuzzy Hash: 961134B1D003498FDB10CFAAC448ADEFBF0EF99224F19851AD429B7250D375A545CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 013CB800, Relevance: 1.5, Strings: 1, Instructions: 286COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468855641.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: j
                                                                                      • API String ID: 0-2137352139
                                                                                      • Opcode ID: 91788b1e0c2795f1a62facb6dcc16c74ab6b8191af7758e2668662c6442df8ea
                                                                                      • Instruction ID: 73c124d70ca2bab6f7fe4a7821df476618303ac7d28811a3fded69af1cff3654
                                                                                      • Opcode Fuzzy Hash: 91788b1e0c2795f1a62facb6dcc16c74ab6b8191af7758e2668662c6442df8ea
                                                                                      • Instruction Fuzzy Hash: 22A18D30B002058FDB599BB8C4657AE7AF6AF88744F24843DE506EB799DF34CC468B91
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 013CA3F8, Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468855641.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: \
                                                                                      • API String ID: 0-2967466578
                                                                                      • Opcode ID: b4862985aeedc2081cea62c4861a622c7a5139a1c7a3362040a7b8e7c2e24f6f
                                                                                      • Instruction ID: 3efe2bbbb9db6f681a90114e943620b461e0434e273fc885b6a7093a46abba24
                                                                                      • Opcode Fuzzy Hash: b4862985aeedc2081cea62c4861a622c7a5139a1c7a3362040a7b8e7c2e24f6f
                                                                                      • Instruction Fuzzy Hash: 74210071B0020A9FDB15DBA88C057BFBAB9EFC4A08F14802ED519E7381EB749C4587E1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 013CEA30, Relevance: .4, Instructions: 373COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468855641.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 47e593d3d999d0066930f50f0705ca4bf6c5de227bc123d6a7d743e36d84dd8e
                                                                                      • Instruction ID: 7b86c57d6a626471833f8269737771bdcb183d07b27988cf97ff792166215cb0
                                                                                      • Opcode Fuzzy Hash: 47e593d3d999d0066930f50f0705ca4bf6c5de227bc123d6a7d743e36d84dd8e
                                                                                      • Instruction Fuzzy Hash: 72D1E334A042089FCB25DF68C454AAEBBBAFF85718F14847ED11ADB391DB30EC458B91
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 013CC5A8, Relevance: .4, Instructions: 362COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468855641.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b5dfd00dd26dfacea75d049bf8804410dc1f75567d332513eeb2052f7d146b87
                                                                                      • Instruction ID: 778b461370ddb976a78339913b9ff7ed15c40688fa796175175a001f6c0f1e68
                                                                                      • Opcode Fuzzy Hash: b5dfd00dd26dfacea75d049bf8804410dc1f75567d332513eeb2052f7d146b87
                                                                                      • Instruction Fuzzy Hash: F7C1C2307006058FEB259A2DC9647793BAAEF85E18F18606FE51ACF7A2DF24DC418791
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 013CC9E3, Relevance: .3, Instructions: 283COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468855641.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2821e0d45a11deb756ce93d2f34a35762677fbeab7ce8a8c8c0b2eb719395d64
                                                                                      • Instruction ID: 8b001edf41a23fa3cf1d5c51b19147abd5609b3f48e329d1a115e32d6de377d7
                                                                                      • Opcode Fuzzy Hash: 2821e0d45a11deb756ce93d2f34a35762677fbeab7ce8a8c8c0b2eb719395d64
                                                                                      • Instruction Fuzzy Hash: 41B1B231A042498FEB16CFA9C4446ADBBF6AF86B08F14916ED809DF762D770DC81CB50
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 013CDC08, Relevance: .3, Instructions: 265COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468855641.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 86ce10311a8f1cbdc80e63d49ad7852f9f5fffcd21a4a60243a9fc731702dfec
                                                                                      • Instruction ID: cd58cd391c806fd37abd66689552490b4bc533ba263e788c42ae01c8a3b1ca02
                                                                                      • Opcode Fuzzy Hash: 86ce10311a8f1cbdc80e63d49ad7852f9f5fffcd21a4a60243a9fc731702dfec
                                                                                      • Instruction Fuzzy Hash: 5791DF30A042458FE714ABB8C85876A7BE2AF86708F19C47EE1169F291CF34DC4AC791
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 013C6B98, Relevance: .2, Instructions: 246COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468855641.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 89b5ee254ce1bbbe729aeaff21a9232aa11360048aa479619263ac5e40e3d40e
                                                                                      • Instruction ID: 610fbf79b8aee946b4d74dd4c054685ead08dde19192ecc54607e2e98185d733
                                                                                      • Opcode Fuzzy Hash: 89b5ee254ce1bbbe729aeaff21a9232aa11360048aa479619263ac5e40e3d40e
                                                                                      • Instruction Fuzzy Hash: 3781D474B402159FDF15DB68C855BBE3BA6EB88758F14842EE60ADB381CB70DC81CB91
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 013C7230, Relevance: .2, Instructions: 236COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468855641.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 375f3899fe747679c0bb0a01ae7b7a44350dbd6027d06eb233aab21e10bcda3b
                                                                                      • Instruction ID: 8ae0ad03047fa653ff53322448fbed89779750ff3efeaf2845d0ab2c40935556
                                                                                      • Opcode Fuzzy Hash: 375f3899fe747679c0bb0a01ae7b7a44350dbd6027d06eb233aab21e10bcda3b
                                                                                      • Instruction Fuzzy Hash: 1CA18871A04249DFCF06CFA8C845ADDBFB6BF89314F14856AE905AB2A1D730A855CF90
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 013C6EC0, Relevance: .2, Instructions: 236COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468855641.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: eb893867ee4269efdc5021fc70aa761da83f0de737222e0cda858a977eb0688e
                                                                                      • Instruction ID: ba510cd5fcaf7b0693a74468ac1d7860df640a030aab34522d634bdbed7dea3a
                                                                                      • Opcode Fuzzy Hash: eb893867ee4269efdc5021fc70aa761da83f0de737222e0cda858a977eb0688e
                                                                                      • Instruction Fuzzy Hash: 25919C347002068FDB15DF2DC894A6A7BE6BF89A08F1544AEE916CB3A2DB31DC41CF50
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 013C9AD8, Relevance: .2, Instructions: 203COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468855641.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d1d9376ca9d143cf3bcef80503dabe34b37255007535bbeb619b1a1394cb2d32
                                                                                      • Instruction ID: 0985f574fbd38b2be65c90e4c603a0bfa7b9019c8124ee6259de00e931770d6b
                                                                                      • Opcode Fuzzy Hash: d1d9376ca9d143cf3bcef80503dabe34b37255007535bbeb619b1a1394cb2d32
                                                                                      • Instruction Fuzzy Hash: 7F912574E05208CFCB14EFB4D8986ADBBB6FF49305F1084AAE819AB355DB349845CF50
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 013CDC00, Relevance: .2, Instructions: 197COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468855641.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e46f48663e821dbc8ffee4b8a3d31396953c5d4c56752d8b73a621987cae6ff0
                                                                                      • Instruction ID: 35127093b09371380167cc41eee494fcfc99855c3c4865ec499ba715d49b54a7
                                                                                      • Opcode Fuzzy Hash: e46f48663e821dbc8ffee4b8a3d31396953c5d4c56752d8b73a621987cae6ff0
                                                                                      • Instruction Fuzzy Hash: AC619070A002059BD718ABB8C89876EBAE3AFC5608F19C43DE1169F790CF75DC468791
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 013CAC70, Relevance: .2, Instructions: 176COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468855641.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d7db9539c31ce2ebd79cd029a8b81cc422bdd0d78dfbf6943ed8d0140a3b5caf
                                                                                      • Instruction ID: 82f6a055f813239f84e9cdbfe4d0525d0da737877eeacbaf7072cb833ab5b7e6
                                                                                      • Opcode Fuzzy Hash: d7db9539c31ce2ebd79cd029a8b81cc422bdd0d78dfbf6943ed8d0140a3b5caf
                                                                                      • Instruction Fuzzy Hash: 9251D434B002098FCB54AB78C5542AE77F6AF88608F14897DC90AEBB55EF35DC4987D1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 013CCB98, Relevance: .2, Instructions: 162COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468855641.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d518d53915e532d97fd436dfc3c83067b89636632cfe4a15bbb2875523c9dd5c
                                                                                      • Instruction ID: 1f8d79b43c53509ad33b07dff5166899f5e47775bbdcdd6506a9a6b034acdcd0
                                                                                      • Opcode Fuzzy Hash: d518d53915e532d97fd436dfc3c83067b89636632cfe4a15bbb2875523c9dd5c
                                                                                      • Instruction Fuzzy Hash: B1618D71E007498FDF12CFA9C5446AEFBF2AF8A704F24865DE809AB252D770AD45CB40
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 013CBB8C, Relevance: .1, Instructions: 128COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468855641.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e2b033e38cdee5b9b6490ca4773f9e3e15609bf179c26d4a744fffcb250040e8
                                                                                      • Instruction ID: 5c48ec51bd93ff6bb298629af874136b8ab665cf62c43fb5b4563c4c256908d1
                                                                                      • Opcode Fuzzy Hash: e2b033e38cdee5b9b6490ca4773f9e3e15609bf179c26d4a744fffcb250040e8
                                                                                      • Instruction Fuzzy Hash: F0417F34B002058FDB689BB8C46A77D7AE6AB88744F14443DE916D7798DF70CC428B91
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 013C7383, Relevance: .1, Instructions: 120COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468855641.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 26a65b3b3d1a2a97df525bb25b9d2fc1b1cca526636af026e75ae0481946f167
                                                                                      • Instruction ID: f311aa903b5564012470d76e8c81a7fd18ddf7be4615b3401a35c28f89f87d0f
                                                                                      • Opcode Fuzzy Hash: 26a65b3b3d1a2a97df525bb25b9d2fc1b1cca526636af026e75ae0481946f167
                                                                                      • Instruction Fuzzy Hash: 38418D31A04249DFDF12CFA8C845AADBFB6AF49718F048559ED15AB292D331ED14CFA0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 013CAB94, Relevance: .1, Instructions: 98COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468855641.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 070119dabd1e2cc46ea292e50526644336e2e6196f00c3129987299a13817e7c
                                                                                      • Instruction ID: 715d4325dcecf1d81f42e8573243c7700d11a31ad3e7913e3b73fd70fe677b29
                                                                                      • Opcode Fuzzy Hash: 070119dabd1e2cc46ea292e50526644336e2e6196f00c3129987299a13817e7c
                                                                                      • Instruction Fuzzy Hash: 2031D035B001158FCB44EBB8D5856EEBBF1FF98618B1180A9D54AE7381EF388D068B91
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 013CA850, Relevance: .1, Instructions: 88COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468855641.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b3aed759fc206f525e45fdbd4d78db910f22c6951f868247dd85d24aebb264b4
                                                                                      • Instruction ID: f7df466d761166298f2c39bb1b7367eb9850529985d5e3fd1140fefaecc3dba3
                                                                                      • Opcode Fuzzy Hash: b3aed759fc206f525e45fdbd4d78db910f22c6951f868247dd85d24aebb264b4
                                                                                      • Instruction Fuzzy Hash: 2C21C335B042198BCB04A7B8D8192EE37F6AB85718F054679D516EB391EF38DC058791
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 013CF6CD, Relevance: .1, Instructions: 87COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468855641.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4d274b4f55fa34ba68f64391259ec2e1f707c0511f4cdeeb51741ddb6174438d
                                                                                      • Instruction ID: aba6887f153dbd460cd78b3321ab358e22bb08302608cb5944c4789cebdb82be
                                                                                      • Opcode Fuzzy Hash: 4d274b4f55fa34ba68f64391259ec2e1f707c0511f4cdeeb51741ddb6174438d
                                                                                      • Instruction Fuzzy Hash: BE31B435A043068FCB10DF78D8809AFBBBBEF80208B10886DE616DB654DB319D06CB91
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 013CE111, Relevance: .1, Instructions: 65COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468855641.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5435a81843856e32e69414f8e4f788857353467bc09445e7c955873f6f8a0e66
                                                                                      • Instruction ID: 642c6e3c953cec51e4f265e51e76107a09d6eed2205e423bdc406728f297a4fe
                                                                                      • Opcode Fuzzy Hash: 5435a81843856e32e69414f8e4f788857353467bc09445e7c955873f6f8a0e66
                                                                                      • Instruction Fuzzy Hash: 75212630E052489FDB15CFA9D990AEEBFB6AF88749F148069E811B6250DB349E41DB60
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 013C7468, Relevance: .1, Instructions: 59COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468855641.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3ab6e5c5655388585ab9d7e89911465614ec3903f904cc39e1822797cc47a75a
                                                                                      • Instruction ID: a30256f6862436d1a705e92cd5bb34619d19c84924bbfb25e110c439fa50c480
                                                                                      • Opcode Fuzzy Hash: 3ab6e5c5655388585ab9d7e89911465614ec3903f904cc39e1822797cc47a75a
                                                                                      • Instruction Fuzzy Hash: 9611D331600245DFDB10CF6DC840B5EFFA6AF85728F148659D918AB292D371FC10CBA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 013CABA0, Relevance: .1, Instructions: 52COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468855641.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 870e0cad818bf5c0d1bb837b1d36df55a52ec9be63874dbb5e5b7c2cf6f177e7
                                                                                      • Instruction ID: 9617495a4bc629b67628bfea97a3e69e140a0fd2a84c366a80281253c2ed2f5b
                                                                                      • Opcode Fuzzy Hash: 870e0cad818bf5c0d1bb837b1d36df55a52ec9be63874dbb5e5b7c2cf6f177e7
                                                                                      • Instruction Fuzzy Hash: CF113970F0022A8F8B44EBB8C981AAEB7F5FBC82147508479D509F7354EB349D018B91
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 013CA780, Relevance: .1, Instructions: 52COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468855641.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4211ce5fd9e5a25349c76375a86d54bc4b52b9331d98c54c47a85178f87a55d0
                                                                                      • Instruction ID: b82a1ba3053400418d9d6ebe358e7c793216b05762f5419ce8d8ba8bb874ebe2
                                                                                      • Opcode Fuzzy Hash: 4211ce5fd9e5a25349c76375a86d54bc4b52b9331d98c54c47a85178f87a55d0
                                                                                      • Instruction Fuzzy Hash: FA113C70F002198F8B44EFBCC8849AEBBF5FB882147508039D519F7344EB349D028B91
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 013C7220, Relevance: .0, Instructions: 41COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468855641.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5c1a32e8ff237a36a07ef72483117d5379d4f8266f16fb18a03aa59e3f1b7d43
                                                                                      • Instruction ID: 01b32c648742151a20379f653e5f90146a46408fd6b8ddbabcd418cee8bfdccf
                                                                                      • Opcode Fuzzy Hash: 5c1a32e8ff237a36a07ef72483117d5379d4f8266f16fb18a03aa59e3f1b7d43
                                                                                      • Instruction Fuzzy Hash: CE01E276A042189FCF05CFD8D9548DEBBBAFF88310B01816AE905AB354DB3599198BA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 013CABFF, Relevance: .0, Instructions: 25COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468855641.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 55286a2a1e778fdbaee0cb8f14f0e8ebd9d327361f2624dbd7444f3bd5864f41
                                                                                      • Instruction ID: 6a811ed0165e200513b6b3f7bf4d346c3d3654800cb9039e9336cfe6ad75183d
                                                                                      • Opcode Fuzzy Hash: 55286a2a1e778fdbaee0cb8f14f0e8ebd9d327361f2624dbd7444f3bd5864f41
                                                                                      • Instruction Fuzzy Hash: 6AE0C935B000198B8F14FBA8D4949ED73F1ABE81187514079D549E7354EE349C018BA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 013CA7DF, Relevance: .0, Instructions: 25COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468855641.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9f431cbfea42af9b267df90dd04304be8e8aee6b63d560ce3d06ac6feda932c1
                                                                                      • Instruction ID: 756d571b7565ad7cba97383a8c7d2335d0f9051a282598b57dc326361addf11c
                                                                                      • Opcode Fuzzy Hash: 9f431cbfea42af9b267df90dd04304be8e8aee6b63d560ce3d06ac6feda932c1
                                                                                      • Instruction Fuzzy Hash: 08E0C935B101198B8F14EBB8D8948DDB7B1BBE8118751806AD949E7394EE349C018B61
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 013CA6AC, Relevance: .0, Instructions: 18COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.468855641.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b5e7ffabb9d7c8c5c381a84633588d7c7bf5fd900d60360a4a533dda90bd90e6
                                                                                      • Instruction ID: 90af5e98e081c455888d800f9e98d564b91083a22f4b27d4cddc547f996dcdb2
                                                                                      • Opcode Fuzzy Hash: b5e7ffabb9d7c8c5c381a84633588d7c7bf5fd900d60360a4a533dda90bd90e6
                                                                                      • Instruction Fuzzy Hash: 5CD02200B2030A9A9F0402BA012027E30CA0EC00EEB400C3A5802CF1E1FF1CCC986352
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Non-executed Functions