Loading ...

Play interactive tourEdit tour

Analysis Report medline PO No. 9100002286.exe

Overview

General Information

Sample Name:medline PO No. 9100002286.exe
Analysis ID:399505
MD5:3b4740623c70111cf16cd73e2ce7e1e5
SHA1:caddff5529c85f69a942a7436edecd6122a16ac1
SHA256:b20b1c9c785100e0e18623c7f34843a82e066f0f91af93410654733c9e7e4513
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Snake Keylogger
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Beds Obfuscator
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • medline PO No. 9100002286.exe (PID: 5748 cmdline: 'C:\Users\user\Desktop\medline PO No. 9100002286.exe' MD5: 3B4740623C70111CF16CD73E2CE7E1E5)
    • schtasks.exe (PID: 4828 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RDdkJkTI' /XML 'C:\Users\user\AppData\Local\Temp\tmp7588.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "SMTP Info": {"Port": "587", "SMTP Credential": "99chimps@vivaldi.netgoodgood12345smtp.vivaldi.net"}}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.505992818.0000000002DD1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000006.00000002.501104830.0000000000402000.00000040.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
        00000006.00000002.501104830.0000000000402000.00000040.00000001.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          00000006.00000002.506385916.0000000002E3F000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.medline PO No. 9100002286.exe.3aa8bd0.4.raw.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
              0.2.medline PO No. 9100002286.exe.3aa8bd0.4.raw.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                0.2.medline PO No. 9100002286.exe.3aa8bd0.4.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                  0.2.medline PO No. 9100002286.exe.3aa8bd0.4.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                    0.2.medline PO No. 9100002286.exe.3a3a1b0.3.raw.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Scheduled temp file as task from temp locationShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RDdkJkTI' /XML 'C:\Users\user\AppData\Local\Temp\tmp7588.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RDdkJkTI' /XML 'C:\Users\user\AppData\Local\Temp\tmp7588.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\medline PO No. 9100002286.exe' , ParentImage: C:\Users\user\Desktop\medline PO No. 9100002286.exe, ParentProcessId: 5748, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RDdkJkTI' /XML 'C:\Users\user\AppData\Local\Temp\tmp7588.tmp', ProcessId: 4828

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000000.00000002.259808275.0000000003829000.00000004.00000001.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "SMTP Info": {"Port": "587", "SMTP Credential": "99chimps@vivaldi.netgoodgood12345smtp.vivaldi.net"}}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: medline PO No. 9100002286.exeVirustotal: Detection: 28%Perma Link
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\RDdkJkTI.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: medline PO No. 9100002286.exeJoe Sandbox ML: detected
                      Source: 6.2.medline PO No. 9100002286.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
                      Source: medline PO No. 9100002286.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: unknownHTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.7:49715 version: TLS 1.0
                      Source: medline PO No. 9100002286.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_052ADFD0
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_052ADCB8

                      Networking:

                      barindex
                      May check the online IP address of the machineShow sources
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeDNS query: name: checkip.dyndns.org
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeDNS query: name: checkip.dyndns.org
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeDNS query: name: checkip.dyndns.org
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeDNS query: name: checkip.dyndns.org
                      Source: Joe Sandbox ViewIP Address: 104.21.19.200 104.21.19.200
                      Source: Joe Sandbox ViewIP Address: 216.146.43.71 216.146.43.71
                      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: unknownHTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.7:49715 version: TLS 1.0
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.506242450.0000000002E1F000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.505992818.0000000002DD1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.505992818.0000000002DD1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.505992818.0000000002DD1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/HB
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.506242450.0000000002E1F000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.506242450.0000000002E1F000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.506242450.0000000002E1F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmp, medline PO No. 9100002286.exe, 00000006.00000002.505992818.0000000002DD1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: medline PO No. 9100002286.exeString found in binary or memory: http://web.archive.org/web/20150218144800/http://faculty.darden.virginia.edu/conroyb/derivatives/Bin
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.235637027.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.236294998.00000000057C4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com.
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.235637027.00000000057F0000.00000004.00000001.sdmp, medline PO No. 9100002286.exe, 00000000.00000003.235736430.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com_
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.235637027.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com_0
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.235736430.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comh-s$&
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.235736430.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-u
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.257777024.00000000057D1000.00000004.00000001.sdmp, medline PO No. 9100002286.exe, 00000000.00000003.241155999.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.239101206.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com#n
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.241155999.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240741774.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTFbnr
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.239062434.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.239224383.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/_
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.239996572.00000000057CC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html8-
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240812351.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers:
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.239318313.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersC-#
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240937573.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersn
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.239563634.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerss
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240192056.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersx.
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240066120.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240741774.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comUn
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240577500.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comaUn
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.241155999.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240741774.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsF
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240066120.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd1n
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240066120.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdbnr
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240066120.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdpn
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240066120.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgretaUn
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.239591593.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrita
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.245263003.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrito
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240229530.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comitua
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.239339502.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comldm
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.245263003.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm1n
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.239101206.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comnc.
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.239339502.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240066120.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comonyF
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.239224383.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.compn
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.239224383.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsiv/ynK
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.242259486.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.243059122.00000000057C8000.00000004.00000001.sdmp, medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.236454321.00000000057D1000.00000004.00000001.sdmp, medline PO No. 9100002286.exe, 00000000.00000003.236303084.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.236454321.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/#n
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.236454321.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/:n
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.237122449.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/FF
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.237122449.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/bnr
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.236866633.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.236645715.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/kny
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.236454321.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/liqu
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.236866633.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/pn
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.236454321.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ynK
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.237022000.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.236003203.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com4:
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.236003203.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comL?~
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.236003203.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comic_
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.236003203.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.como?
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240973589.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240973589.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dea?
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.239026468.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deo
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240973589.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dez?h
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.505992818.0000000002DD1000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.506242450.0000000002E1F000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.506242450.0000000002E1F000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.506242450.0000000002E1F000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/84.17.52.3
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.505992818.0000000002DD1000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/LoadCountryNameClipboard
                      Source: medline PO No. 9100002286.exeString found in binary or memory: https://github.com/gh28942
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.506348010.0000000002E3B000.00000004.00000001.sdmp, medline PO No. 9100002286.exe, 00000006.00000002.506385916.0000000002E3F000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.506242450.0000000002E1F000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715

                      System Summary:

                      barindex
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_0260C2B00_2_0260C2B0
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_026099980_2_02609998
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A15380_2_052A1538
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A5D600_2_052A5D60
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A5D700_2_052A5D70
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A55C80_2_052A55C8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A45C10_2_052A45C1
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A15D80_2_052A15D8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A55D80_2_052A55D8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052AB4A00_2_052AB4A0
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A9CC80_2_052A9CC8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052AE7D00_2_052AE7D0
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A06200_2_052A0620
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A46180_2_052A4618
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A06130_2_052A0613
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052ACEB80_2_052ACEB8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052AA9B80_2_052AA9B8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A00330_2_052A0033
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A00400_2_052A0040
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052AB8580_2_052AB858
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A08880_2_052A0888
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A08980_2_052A0898
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A637F0_2_052A637F
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A63A80_2_052A63A8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A03E80_2_052A03E8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A03DB0_2_052A03DB
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A0AA80_2_052A0AA8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A5AA00_2_052A5AA0
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A0A980_2_052A0A98
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A5A900_2_052A5A90
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_02D4B2B06_2_02D4B2B0
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_02D483006_2_02D48300
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_02D406586_2_02D40658
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_02D47B986_2_02D47B98
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_02D4F9F06_2_02D4F9F0
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_02D446306_2_02D44630
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_02D416286_2_02D41628
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_02D40B706_2_02D40B70
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_02D459E06_2_02D459E0
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_02D4F9E16_2_02D4F9E1
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_064847406_2_06484740
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_064827F06_2_064827F0
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_064800406_2_06480040
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_06482FD86_2_06482FD8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_064808286_2_06480828
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_064837C06_2_064837C0
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_064817F86_2_064817F8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_064810106_2_06481010
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_06483F586_2_06483F58
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_06481FE06_2_06481FE0
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_064827716_2_06482771
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_0648472F6_2_0648472F
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_064807C86_2_064807C8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_064800066_2_06480006
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_06482F786_2_06482F78
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_06480FB16_2_06480FB1
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_064837606_2_06483760
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_064817996_2_06481799
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_06481F816_2_06481F81
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_06483FA86_2_06483FA8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_064927346_2_06492734
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_064999B86_2_064999B8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_06490F486_2_06490F48
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_064937606_2_06493760
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259369361.000000000286D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs medline PO No. 9100002286.exe
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUPJ4C205.exe4 vs medline PO No. 9100002286.exe
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.270826412.0000000006EF0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs medline PO No. 9100002286.exe
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.252107178.0000000007422000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyFlagsAttribute.exeJ vs medline PO No. 9100002286.exe
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.273934116.000000000D300000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs medline PO No. 9100002286.exe
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.274159227.000000000D400000.00000002.00000001.sdmpBinary or memory string: originalfilename vs medline PO No. 9100002286.exe
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.274159227.000000000D400000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs medline PO No. 9100002286.exe
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.271582690.0000000007390000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs medline PO No. 9100002286.exe
                      Source: medline PO No. 9100002286.exe, 00000006.00000000.256897765.0000000000A36000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAssemblyFlagsAttribute.exeJ vs medline PO No. 9100002286.exe
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.502857347.0000000000E30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs medline PO No. 9100002286.exe
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.501946177.0000000000466000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameUPJ4C205.exe4 vs medline PO No. 9100002286.exe
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.502608095.0000000000BC6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs medline PO No. 9100002286.exe
                      Source: medline PO No. 9100002286.exeBinary or memory string: OriginalFilenameAssemblyFlagsAttribute.exeJ vs medline PO No. 9100002286.exe
                      Source: medline PO No. 9100002286.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: medline PO No. 9100002286.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: RDdkJkTI.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/4@3/3
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeFile created: C:\Users\user\AppData\Roaming\RDdkJkTI.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5620:120:WilError_01
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeFile created: C:\Users\user\AppData\Local\Temp\tmp7588.tmpJump to behavior
                      Source: medline PO No. 9100002286.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
                      Source: medline PO No. 9100002286.exeVirustotal: Detection: 28%
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeFile read: C:\Users\user\Desktop\medline PO No. 9100002286.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\medline PO No. 9100002286.exe 'C:\Users\user\Desktop\medline PO No. 9100002286.exe'
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RDdkJkTI' /XML 'C:\Users\user\AppData\Local\Temp\tmp7588.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess created: C:\Users\user\Desktop\medline PO No. 9100002286.exe C:\Users\user\Desktop\medline PO No. 9100002286.exe
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RDdkJkTI' /XML 'C:\Users\user\AppData\Local\Temp\tmp7588.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess created: C:\Users\user\Desktop\medline PO No. 9100002286.exe C:\Users\user\Desktop\medline PO No. 9100002286.exeJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: medline PO No. 9100002286.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: medline PO No. 9100002286.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000006.00000002.501104830.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.259808275.0000000003829000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: medline PO No. 9100002286.exe PID: 5452, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: medline PO No. 9100002286.exe PID: 5748, type: MEMORY
                      Source: Yara matchFile source: 0.2.medline PO No. 9100002286.exe.3aa8bd0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.medline PO No. 9100002286.exe.3aa8bd0.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.medline PO No. 9100002286.exe.3a3a1b0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.medline PO No. 9100002286.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_004052AF push es; iretd 0_2_004052C8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_0040527F push es; iretd 0_2_004052C8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_0040B93F push edi; ret 0_2_0040B940
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A4001 push ebp; ret 0_2_052A4002
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_009B527F push es; iretd 6_2_009B52C8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_009BB93F push edi; ret 6_2_009BB940
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_009B52AF push es; iretd 6_2_009B52C8
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.81158493919
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.81158493919
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeFile created: C:\Users\user\AppData\Roaming\RDdkJkTI.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RDdkJkTI' /XML 'C:\Users\user\AppData\Local\Temp\tmp7588.tmp'
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: medline PO No. 9100002286.exe PID: 5748, type: MEMORY
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000006.00000002.501104830.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.259808275.0000000003829000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: medline PO No. 9100002286.exe PID: 5452, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: medline PO No. 9100002286.exe PID: 5748, type: MEMORY
                      Source: Yara matchFile source: 0.2.medline PO No. 9100002286.exe.3aa8bd0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.medline PO No. 9100002286.exe.3aa8bd0.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.medline PO No. 9100002286.exe.3a3a1b0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.medline PO No. 9100002286.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exe TID: 1404Thread sleep time: -99376s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exe TID: 5944Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeThread delayed: delay time: 99376Jump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RDdkJkTI' /XML 'C:\Users\user\AppData\Local\Temp\tmp7588.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess created: C:\Users\user\Desktop\medline PO No. 9100002286.exe C:\Users\user\Desktop\medline PO No. 9100002286.exeJump to behavior
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.505498852.0000000001700000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.505498852.0000000001700000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.505498852.0000000001700000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.505498852.0000000001700000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Users\user\Desktop\medline PO No. 9100002286.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Users\user\Desktop\medline PO No. 9100002286.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected Snake KeyloggerShow sources
                      Source: Yara matchFile source: 00000006.00000002.501104830.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.259808275.0000000003829000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: medline PO No. 9100002286.exe PID: 5452, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: medline PO No. 9100002286.exe PID: 5748, type: MEMORY
                      Source: Yara matchFile source: 0.2.medline PO No. 9100002286.exe.3aa8bd0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.medline PO No. 9100002286.exe.3aa8bd0.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.medline PO No. 9100002286.exe.3a3a1b0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.medline PO No. 9100002286.exe.400000.0.unpack, type: UNPACKEDPE
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Yara matchFile source: 00000006.00000002.505992818.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.506385916.0000000002E3F000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: medline PO No. 9100002286.exe PID: 5452, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected Snake KeyloggerShow sources
                      Source: Yara matchFile source: 00000006.00000002.501104830.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.259808275.0000000003829000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: medline PO No. 9100002286.exe PID: 5452, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: medline PO No. 9100002286.exe PID: 5748, type: MEMORY
                      Source: Yara matchFile source: 0.2.medline PO No. 9100002286.exe.3aa8bd0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.medline PO No. 9100002286.exe.3aa8bd0.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.medline PO No. 9100002286.exe.3a3a1b0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.medline PO No. 9100002286.exe.400000.0.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection12Masquerading1OS Credential Dumping2Security Software Discovery111Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing3Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery13Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      medline PO No. 9100002286.exe29%VirustotalBrowse
                      medline PO No. 9100002286.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\RDdkJkTI.exe100%Joe Sandbox ML

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      6.2.medline PO No. 9100002286.exe.400000.0.unpack100%AviraTR/Spy.GenDownload File

                      Domains

                      SourceDetectionScannerLabelLink
                      freegeoip.app1%VirustotalBrowse
                      checkip.dyndns.com0%VirustotalBrowse
                      checkip.dyndns.org0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.fontbureau.comaUn0%Avira URL Cloudsafe
                      http://www.urwpp.dea?0%Avira URL Cloudsafe
                      http://www.carterandcone.comn-u0%URL Reputationsafe
                      http://www.carterandcone.comn-u0%URL Reputationsafe
                      http://www.carterandcone.comn-u0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.carterandcone.com_00%Avira URL Cloudsafe
                      http://www.fontbureau.comdbnr0%Avira URL Cloudsafe
                      http://www.fontbureau.comdpn0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/kny0%Avira URL Cloudsafe
                      https://freegeoip.app0%URL Reputationsafe
                      https://freegeoip.app0%URL Reputationsafe
                      https://freegeoip.app0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.fontbureau.com.TTFbnr0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      https://freegeoip.app/xml/84.17.52.30%URL Reputationsafe
                      https://freegeoip.app/xml/84.17.52.30%URL Reputationsafe
                      https://freegeoip.app/xml/84.17.52.30%URL Reputationsafe
                      http://www.carterandcone.com.0%URL Reputationsafe
                      http://www.carterandcone.com.0%URL Reputationsafe
                      http://www.carterandcone.com.0%URL Reputationsafe
                      http://www.fontbureau.comalsF0%URL Reputationsafe
                      http://www.fontbureau.comalsF0%URL Reputationsafe
                      http://www.fontbureau.comalsF0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.fontbureau.comgrita0%URL Reputationsafe
                      http://www.fontbureau.comgrita0%URL Reputationsafe
                      http://www.fontbureau.comgrita0%URL Reputationsafe
                      http://checkip.dyndns.org/0%Avira URL Cloudsafe
                      http://www.fontbureau.comldm0%Avira URL Cloudsafe
                      http://www.fontbureau.comUn0%Avira URL Cloudsafe
                      http://www.urwpp.dez?h0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/:n0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/liqu0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/ynK0%Avira URL Cloudsafe
                      http://checkip.dyndns.org/HB0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.carterandcone.comh-s$&0%Avira URL Cloudsafe
                      http://www.fontbureau.comgrito0%URL Reputationsafe
                      http://www.fontbureau.comgrito0%URL Reputationsafe
                      http://www.fontbureau.comgrito0%URL Reputationsafe
                      http://www.fontbureau.comsiv/ynK0%Avira URL Cloudsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.fontbureau.com.TTF0%URL Reputationsafe
                      http://www.fontbureau.com.TTF0%URL Reputationsafe
                      http://www.fontbureau.com.TTF0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/pn0%Avira URL Cloudsafe
                      https://freegeoip.app/xml/0%URL Reputationsafe
                      https://freegeoip.app/xml/0%URL Reputationsafe
                      https://freegeoip.app/xml/0%URL Reputationsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://www.carterandcone.com_0%Avira URL Cloudsafe
                      http://www.fontbureau.comnc.0%Avira URL Cloudsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      http://www.tiro.com4:0%Avira URL Cloudsafe
                      http://www.fontbureau.comm1n0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      freegeoip.app
                      104.21.19.200
                      truefalseunknown
                      checkip.dyndns.com
                      216.146.43.71
                      truefalseunknown
                      checkip.dyndns.org
                      unknown
                      unknowntrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://checkip.dyndns.org/false
                      • Avira URL Cloud: safe
                      unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.fontbureau.com/designersGmedline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpfalse
                        high
                        http://www.fontbureau.comaUnmedline PO No. 9100002286.exe, 00000000.00000003.240577500.00000000057D1000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.urwpp.dea?medline PO No. 9100002286.exe, 00000000.00000003.240973589.00000000057F1000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.carterandcone.comn-umedline PO No. 9100002286.exe, 00000000.00000003.235736430.00000000057F1000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.fontbureau.com/designers/?medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpfalse
                          high
                          http://www.founder.com.cn/cn/bThemedline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.carterandcone.com_0medline PO No. 9100002286.exe, 00000000.00000003.235637027.00000000057F0000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          low
                          http://www.fontbureau.comdbnrmedline PO No. 9100002286.exe, 00000000.00000003.240066120.00000000057D1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.fontbureau.com/designers?medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpfalse
                            high
                            http://www.fontbureau.comdpnmedline PO No. 9100002286.exe, 00000000.00000003.240066120.00000000057D1000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.jiyu-kobo.co.jp/knymedline PO No. 9100002286.exe, 00000000.00000003.236645715.00000000057D1000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://freegeoip.appmedline PO No. 9100002286.exe, 00000006.00000002.506242450.0000000002E1F000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.tiro.commedline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com.TTFbnrmedline PO No. 9100002286.exe, 00000000.00000003.240741774.00000000057D1000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.fontbureau.com/designersmedline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpfalse
                              high
                              http://www.goodfont.co.krmedline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.carterandcone.commedline PO No. 9100002286.exe, 00000000.00000003.235637027.00000000057F0000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              https://freegeoip.app/xml/84.17.52.3medline PO No. 9100002286.exe, 00000006.00000002.506242450.0000000002E1F000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssmedline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpfalse
                                high
                                http://www.carterandcone.com.medline PO No. 9100002286.exe, 00000000.00000003.236294998.00000000057C4000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.comalsFmedline PO No. 9100002286.exe, 00000000.00000003.240741774.00000000057D1000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.sajatypeworks.commedline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.typography.netDmedline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.founder.com.cn/cn/cThemedline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.galapagosdesign.com/staff/dennis.htmmedline PO No. 9100002286.exe, 00000000.00000003.243059122.00000000057C8000.00000004.00000001.sdmp, medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://fontfabrik.commedline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.comgritamedline PO No. 9100002286.exe, 00000000.00000003.239591593.00000000057D1000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.com#nmedline PO No. 9100002286.exe, 00000000.00000003.239101206.00000000057D1000.00000004.00000001.sdmpfalse
                                  high
                                  http://www.fontbureau.comldmmedline PO No. 9100002286.exe, 00000000.00000003.239339502.00000000057D1000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.fontbureau.comUnmedline PO No. 9100002286.exe, 00000000.00000003.240741774.00000000057D1000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.urwpp.dez?hmedline PO No. 9100002286.exe, 00000000.00000003.240973589.00000000057F1000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.jiyu-kobo.co.jp/:nmedline PO No. 9100002286.exe, 00000000.00000003.236454321.00000000057D1000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.jiyu-kobo.co.jp/liqumedline PO No. 9100002286.exe, 00000000.00000003.236454321.00000000057D1000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.jiyu-kobo.co.jp/ynKmedline PO No. 9100002286.exe, 00000000.00000003.236454321.00000000057D1000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://checkip.dyndns.org/HBmedline PO No. 9100002286.exe, 00000006.00000002.505992818.0000000002DD1000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.galapagosdesign.com/DPleasemedline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.carterandcone.comh-s$&medline PO No. 9100002286.exe, 00000000.00000003.235736430.00000000057F1000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  low
                                  http://www.fontbureau.comgritomedline PO No. 9100002286.exe, 00000000.00000003.245263003.00000000057D1000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.fontbureau.comsiv/ynKmedline PO No. 9100002286.exe, 00000000.00000003.239224383.00000000057D1000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8medline PO No. 9100002286.exe, 00000006.00000002.505992818.0000000002DD1000.00000004.00000001.sdmpfalse
                                    high
                                    http://www.fonts.commedline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpfalse
                                      high
                                      http://www.sandoll.co.krmedline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.urwpp.deDPleasemedline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      https://github.com/gh28942medline PO No. 9100002286.exefalse
                                        high
                                        http://www.urwpp.demedline PO No. 9100002286.exe, 00000000.00000003.240973589.00000000057F1000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.zhongyicts.com.cnmedline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namemedline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmp, medline PO No. 9100002286.exe, 00000006.00000002.505992818.0000000002DD1000.00000004.00000001.sdmpfalse
                                          high
                                          http://www.sakkal.commedline PO No. 9100002286.exe, 00000000.00000003.237022000.00000000057F1000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.fontbureau.com.TTFmedline PO No. 9100002286.exe, 00000000.00000003.241155999.00000000057D1000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.fontbureau.com/designersnmedline PO No. 9100002286.exe, 00000000.00000003.240937573.00000000057F1000.00000004.00000001.sdmpfalse
                                            high
                                            http://www.jiyu-kobo.co.jp/pnmedline PO No. 9100002286.exe, 00000000.00000003.236866633.00000000057D1000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.fontbureau.com/designerssmedline PO No. 9100002286.exe, 00000000.00000003.239563634.00000000057F1000.00000004.00000001.sdmpfalse
                                              high
                                              https://freegeoip.app/xml/medline PO No. 9100002286.exe, 00000006.00000002.506242450.0000000002E1F000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.apache.org/licenses/LICENSE-2.0medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpfalse
                                                high
                                                http://www.fontbureau.commedline PO No. 9100002286.exe, 00000000.00000003.257777024.00000000057D1000.00000004.00000001.sdmp, medline PO No. 9100002286.exe, 00000000.00000003.241155999.00000000057D1000.00000004.00000001.sdmpfalse
                                                  high
                                                  http://www.galapagosdesign.com/medline PO No. 9100002286.exe, 00000000.00000003.242259486.00000000057D1000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.carterandcone.com_medline PO No. 9100002286.exe, 00000000.00000003.235637027.00000000057F0000.00000004.00000001.sdmp, medline PO No. 9100002286.exe, 00000000.00000003.235736430.00000000057F1000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  low
                                                  http://www.fontbureau.comnc.medline PO No. 9100002286.exe, 00000000.00000003.239101206.00000000057D1000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.fontbureau.comFmedline PO No. 9100002286.exe, 00000000.00000003.240066120.00000000057D1000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.tiro.com4:medline PO No. 9100002286.exe, 00000000.00000003.236003203.00000000057F1000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.fontbureau.comm1nmedline PO No. 9100002286.exe, 00000000.00000003.245263003.00000000057D1000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.fontbureau.com/designers/frere-jones.html8-medline PO No. 9100002286.exe, 00000000.00000003.239996572.00000000057CC000.00000004.00000001.sdmpfalse
                                                    high
                                                    http://checkip.dyndns.orgmedline PO No. 9100002286.exe, 00000006.00000002.505992818.0000000002DD1000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.fontbureau.comonyFmedline PO No. 9100002286.exe, 00000000.00000003.240066120.00000000057D1000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.fontbureau.compnmedline PO No. 9100002286.exe, 00000000.00000003.239224383.00000000057D1000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.fontbureau.com/designersC-#medline PO No. 9100002286.exe, 00000000.00000003.239318313.00000000057F1000.00000004.00000001.sdmpfalse
                                                      high
                                                      http://www.jiyu-kobo.co.jp/jp/medline PO No. 9100002286.exe, 00000000.00000003.236866633.00000000057D1000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://freegeoip.app/xml/LoadCountryNameClipboardmedline PO No. 9100002286.exe, 00000006.00000002.505992818.0000000002DD1000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://www.tiro.comic_medline PO No. 9100002286.exe, 00000000.00000003.236003203.00000000057F1000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      low
                                                      http://www.jiyu-kobo.co.jp/bnrmedline PO No. 9100002286.exe, 00000000.00000003.237122449.00000000057D1000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      http://www.carterandcone.comlmedline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://www.fontbureau.com/designersx.medline PO No. 9100002286.exe, 00000000.00000003.240192056.00000000057F1000.00000004.00000001.sdmpfalse
                                                        high
                                                        http://www.fontbureau.com/designers/cabarga.htmlNmedline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpfalse
                                                          high
                                                          http://www.founder.com.cn/cnmedline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.fontbureau.com/designers/frere-jones.htmlmedline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpfalse
                                                            high
                                                            http://www.jiyu-kobo.co.jp/#nmedline PO No. 9100002286.exe, 00000000.00000003.236454321.00000000057D1000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            unknown
                                                            http://www.fontbureau.com/designers/_medline PO No. 9100002286.exe, 00000000.00000003.239224383.00000000057D1000.00000004.00000001.sdmpfalse
                                                              high
                                                              http://www.fontbureau.comgretaUnmedline PO No. 9100002286.exe, 00000000.00000003.240066120.00000000057D1000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              http://www.fontbureau.comd1nmedline PO No. 9100002286.exe, 00000000.00000003.240066120.00000000057D1000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              http://www.urwpp.deomedline PO No. 9100002286.exe, 00000000.00000003.239026468.00000000057F1000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              http://www.jiyu-kobo.co.jp/medline PO No. 9100002286.exe, 00000000.00000003.236454321.00000000057D1000.00000004.00000001.sdmp, medline PO No. 9100002286.exe, 00000000.00000003.236303084.00000000057D1000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://www.fontbureau.comomedline PO No. 9100002286.exe, 00000000.00000003.239339502.00000000057D1000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://www.tiro.como?medline PO No. 9100002286.exe, 00000000.00000003.236003203.00000000057F1000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              http://www.fontbureau.com/designers8medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpfalse
                                                                high
                                                                http://www.tiro.comL?~medline PO No. 9100002286.exe, 00000000.00000003.236003203.00000000057F1000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                http://www.fontbureau.comalicmedline PO No. 9100002286.exe, 00000000.00000003.241155999.00000000057D1000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://www.fontbureau.com/designers:medline PO No. 9100002286.exe, 00000000.00000003.240812351.00000000057F1000.00000004.00000001.sdmpfalse
                                                                  high
                                                                  http://www.jiyu-kobo.co.jp/FFmedline PO No. 9100002286.exe, 00000000.00000003.237122449.00000000057D1000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  unknown
                                                                  http://www.fontbureau.com/designers/medline PO No. 9100002286.exe, 00000000.00000003.239062434.00000000057F1000.00000004.00000001.sdmpfalse
                                                                    high
                                                                    http://web.archive.org/web/20150218144800/http://faculty.darden.virginia.edu/conroyb/derivatives/Binmedline PO No. 9100002286.exefalse
                                                                      high
                                                                      http://www.fontbureau.comituamedline PO No. 9100002286.exe, 00000000.00000003.240229530.00000000057D1000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      unknown

                                                                      Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      104.21.19.200
                                                                      freegeoip.appUnited States
                                                                      13335CLOUDFLARENETUSfalse
                                                                      216.146.43.71
                                                                      checkip.dyndns.comUnited States
                                                                      33517DYNDNSUSfalse

                                                                      Private

                                                                      IP
                                                                      192.168.2.1

                                                                      General Information

                                                                      Joe Sandbox Version:32.0.0 Black Diamond
                                                                      Analysis ID:399505
                                                                      Start date:28.04.2021
                                                                      Start time:21:10:14
                                                                      Joe Sandbox Product:CloudBasic
                                                                      Overall analysis duration:0h 9m 59s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:full
                                                                      Sample file name:medline PO No. 9100002286.exe
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                      Number of analysed new started processes analysed:31
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:0
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • HDC enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.spyw.evad.winEXE@6/4@3/3
                                                                      EGA Information:Failed
                                                                      HDC Information:Failed
                                                                      HCA Information:
                                                                      • Successful, ratio: 99%
                                                                      • Number of executed functions: 47
                                                                      • Number of non-executed functions: 29
                                                                      Cookbook Comments:
                                                                      • Adjust boot time
                                                                      • Enable AMSI
                                                                      • Found application associated with file extension: .exe
                                                                      Warnings:
                                                                      Show All
                                                                      • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 20.82.210.154, 52.255.188.83, 13.88.21.125, 40.88.32.150, 184.30.25.143, 104.42.151.234, 13.64.90.137, 23.57.80.111, 52.147.198.201, 92.122.213.247, 92.122.213.194, 2.20.142.210, 2.20.142.209, 52.155.217.156, 20.54.26.129
                                                                      • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      TimeTypeDescription
                                                                      21:11:11API Interceptor1x Sleep call for process: medline PO No. 9100002286.exe modified

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      104.21.19.200RFQ for MR 29483 for Affordable Villa.docGet hashmaliciousBrowse
                                                                        Enquiry of GI Pipes - Enq 557.docGet hashmaliciousBrowse
                                                                          5314ae13_by_Libranalysis.docGet hashmaliciousBrowse
                                                                            D5PVG3MX.exeGet hashmaliciousBrowse
                                                                              APEw50m3sh.exeGet hashmaliciousBrowse
                                                                                G3d6OlXuMl.exeGet hashmaliciousBrowse
                                                                                  EgxPhIz7wa.exeGet hashmaliciousBrowse
                                                                                    PgiRDH1NyO.exeGet hashmaliciousBrowse
                                                                                      QZbps4eGRi.exeGet hashmaliciousBrowse
                                                                                        ENQUIRY-NOVA11810426JJ-RFQ.exeGet hashmaliciousBrowse
                                                                                          swift copy payment.exeGet hashmaliciousBrowse
                                                                                            iduytrsegdfghjklkhgfdzsr.exeGet hashmaliciousBrowse
                                                                                              MACHINE PO. 042021.exeGet hashmaliciousBrowse
                                                                                                RFQ 7349.docGet hashmaliciousBrowse
                                                                                                  IMG_6037_020120.exeGet hashmaliciousBrowse
                                                                                                    eSVPYmVdWAZvRJP.exeGet hashmaliciousBrowse
                                                                                                      645637465677_9586746536635568_88675667.exeGet hashmaliciousBrowse
                                                                                                        FROCH GEN INQUIRY.docGet hashmaliciousBrowse
                                                                                                          HKHSBC1D23297029-T01 Payment proof.exeGet hashmaliciousBrowse
                                                                                                            full list.exeGet hashmaliciousBrowse
                                                                                                              216.146.43.71MACHINE PO. 042021.exeGet hashmaliciousBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              IMG_6037_020120.exeGet hashmaliciousBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              645637465677_9586746536635568_88675667.exeGet hashmaliciousBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              wjDEFjBmRPC0e4U.exeGet hashmaliciousBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              VALVES_QBCG0409.docGet hashmaliciousBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              Wangchao Energy Technology Co., Ltd.docGet hashmaliciousBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              SWIFT COPY OF PAYMENT TRANSFER.EXEGet hashmaliciousBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              Balan#U00e7o Patrimonial_2022 0420.exeGet hashmaliciousBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              Purchase order.exeGet hashmaliciousBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              Qr6TGA9mxOLh8uw.exeGet hashmaliciousBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              STATEMENT NO -- NAS-2021-1489.exeGet hashmaliciousBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              9TH042021.exeGet hashmaliciousBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              OVERSIGT.pdf.exeGet hashmaliciousBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              orden Q2.exeGet hashmaliciousBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              9ml6pAYt9q.exeGet hashmaliciousBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              qiMQUSGUsU.exeGet hashmaliciousBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              RBL 053980200.exeGet hashmaliciousBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              NEW REQUEST.exeGet hashmaliciousBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              8L0TFKEH.exeGet hashmaliciousBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              IMG_50_78_63.xlsGet hashmaliciousBrowse
                                                                                                              • checkip.dyndns.org/

                                                                                                              Domains

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                              checkip.dyndns.comWh00Ny9HXk.exeGet hashmaliciousBrowse
                                                                                                              • 162.88.193.70
                                                                                                              ZRpmP5qEC1.exeGet hashmaliciousBrowse
                                                                                                              • 162.88.193.70
                                                                                                              4G842SDA.exeGet hashmaliciousBrowse
                                                                                                              • 216.146.43.70
                                                                                                              Halkbank_Ekstre_20210426_080203_744632.pdf.exeGet hashmaliciousBrowse
                                                                                                              • 162.88.193.70
                                                                                                              Aeon Viet Nam Co.,Ltd.docGet hashmaliciousBrowse
                                                                                                              • 162.88.193.70
                                                                                                              Bank Remittance Copy0572001. PDF.exeGet hashmaliciousBrowse
                                                                                                              • 131.186.113.70
                                                                                                              RFQ for MR 29483 for Affordable Villa.docGet hashmaliciousBrowse
                                                                                                              • 162.88.193.70
                                                                                                              Enquiry of GI Pipes - Enq 557.docGet hashmaliciousBrowse
                                                                                                              • 162.88.193.70
                                                                                                              5314ae13_by_Libranalysis.docGet hashmaliciousBrowse
                                                                                                              • 162.88.193.70
                                                                                                              SOA,.exeGet hashmaliciousBrowse
                                                                                                              • 131.186.113.70
                                                                                                              PANTA,xlx.exeGet hashmaliciousBrowse
                                                                                                              • 131.186.161.70
                                                                                                              D5PVG3MX.exeGet hashmaliciousBrowse
                                                                                                              • 162.88.193.70
                                                                                                              FACTURA.exeGet hashmaliciousBrowse
                                                                                                              • 131.186.113.70
                                                                                                              APEw50m3sh.exeGet hashmaliciousBrowse
                                                                                                              • 131.186.161.70
                                                                                                              G3d6OlXuMl.exeGet hashmaliciousBrowse
                                                                                                              • 131.186.161.70
                                                                                                              EgxPhIz7wa.exeGet hashmaliciousBrowse
                                                                                                              • 131.186.161.70
                                                                                                              PgiRDH1NyO.exeGet hashmaliciousBrowse
                                                                                                              • 131.186.161.70
                                                                                                              QZbps4eGRi.exeGet hashmaliciousBrowse
                                                                                                              • 216.146.43.70
                                                                                                              x42HkeDEsE.exeGet hashmaliciousBrowse
                                                                                                              • 131.186.161.70
                                                                                                              n9v8d0AqE0.exeGet hashmaliciousBrowse
                                                                                                              • 162.88.193.70
                                                                                                              freegeoip.appWh00Ny9HXk.exeGet hashmaliciousBrowse
                                                                                                              • 172.67.188.154
                                                                                                              ZRpmP5qEC1.exeGet hashmaliciousBrowse
                                                                                                              • 172.67.188.154
                                                                                                              4G842SDA.exeGet hashmaliciousBrowse
                                                                                                              • 172.67.188.154
                                                                                                              Halkbank_Ekstre_20210426_080203_744632.pdf.exeGet hashmaliciousBrowse
                                                                                                              • 172.67.188.154
                                                                                                              Aeon Viet Nam Co.,Ltd.docGet hashmaliciousBrowse
                                                                                                              • 172.67.188.154
                                                                                                              Bank Remittance Copy0572001. PDF.exeGet hashmaliciousBrowse
                                                                                                              • 172.67.188.154
                                                                                                              RFQ for MR 29483 for Affordable Villa.docGet hashmaliciousBrowse
                                                                                                              • 104.21.19.200
                                                                                                              Enquiry of GI Pipes - Enq 557.docGet hashmaliciousBrowse
                                                                                                              • 104.21.19.200
                                                                                                              5314ae13_by_Libranalysis.docGet hashmaliciousBrowse
                                                                                                              • 104.21.19.200
                                                                                                              SOA,.exeGet hashmaliciousBrowse
                                                                                                              • 172.67.188.154
                                                                                                              PANTA,xlx.exeGet hashmaliciousBrowse
                                                                                                              • 172.67.188.154
                                                                                                              D5PVG3MX.exeGet hashmaliciousBrowse
                                                                                                              • 104.21.19.200
                                                                                                              FACTURA.exeGet hashmaliciousBrowse
                                                                                                              • 172.67.188.154
                                                                                                              APEw50m3sh.exeGet hashmaliciousBrowse
                                                                                                              • 104.21.19.200
                                                                                                              G3d6OlXuMl.exeGet hashmaliciousBrowse
                                                                                                              • 104.21.19.200
                                                                                                              EgxPhIz7wa.exeGet hashmaliciousBrowse
                                                                                                              • 104.21.19.200
                                                                                                              PgiRDH1NyO.exeGet hashmaliciousBrowse
                                                                                                              • 104.21.19.200
                                                                                                              QZbps4eGRi.exeGet hashmaliciousBrowse
                                                                                                              • 104.21.19.200
                                                                                                              x42HkeDEsE.exeGet hashmaliciousBrowse
                                                                                                              • 172.67.188.154
                                                                                                              n9v8d0AqE0.exeGet hashmaliciousBrowse
                                                                                                              • 172.67.188.154

                                                                                                              ASN

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                              DYNDNSUSWh00Ny9HXk.exeGet hashmaliciousBrowse
                                                                                                              • 162.88.193.70
                                                                                                              ZRpmP5qEC1.exeGet hashmaliciousBrowse
                                                                                                              • 162.88.193.70
                                                                                                              4G842SDA.exeGet hashmaliciousBrowse
                                                                                                              • 216.146.43.70
                                                                                                              Halkbank_Ekstre_20210426_080203_744632.pdf.exeGet hashmaliciousBrowse
                                                                                                              • 162.88.193.70
                                                                                                              Aeon Viet Nam Co.,Ltd.docGet hashmaliciousBrowse
                                                                                                              • 162.88.193.70
                                                                                                              Bank Remittance Copy0572001. PDF.exeGet hashmaliciousBrowse
                                                                                                              • 131.186.113.70
                                                                                                              RFQ for MR 29483 for Affordable Villa.docGet hashmaliciousBrowse
                                                                                                              • 162.88.193.70
                                                                                                              Enquiry of GI Pipes - Enq 557.docGet hashmaliciousBrowse
                                                                                                              • 162.88.193.70
                                                                                                              5314ae13_by_Libranalysis.docGet hashmaliciousBrowse
                                                                                                              • 162.88.193.70
                                                                                                              SOA,.exeGet hashmaliciousBrowse
                                                                                                              • 131.186.113.70
                                                                                                              PANTA,xlx.exeGet hashmaliciousBrowse
                                                                                                              • 131.186.161.70
                                                                                                              D5PVG3MX.exeGet hashmaliciousBrowse
                                                                                                              • 162.88.193.70
                                                                                                              FACTURA.exeGet hashmaliciousBrowse
                                                                                                              • 131.186.113.70
                                                                                                              APEw50m3sh.exeGet hashmaliciousBrowse
                                                                                                              • 131.186.161.70
                                                                                                              G3d6OlXuMl.exeGet hashmaliciousBrowse
                                                                                                              • 131.186.161.70
                                                                                                              EgxPhIz7wa.exeGet hashmaliciousBrowse
                                                                                                              • 131.186.161.70
                                                                                                              PgiRDH1NyO.exeGet hashmaliciousBrowse
                                                                                                              • 131.186.161.70
                                                                                                              QZbps4eGRi.exeGet hashmaliciousBrowse
                                                                                                              • 216.146.43.70
                                                                                                              x42HkeDEsE.exeGet hashmaliciousBrowse
                                                                                                              • 131.186.161.70
                                                                                                              n9v8d0AqE0.exeGet hashmaliciousBrowse
                                                                                                              • 162.88.193.70
                                                                                                              CLOUDFLARENETUSPaymentNotification.vbsGet hashmaliciousBrowse
                                                                                                              • 104.16.154.36
                                                                                                              Mga2NdfMyb.exeGet hashmaliciousBrowse
                                                                                                              • 104.17.63.50
                                                                                                              EtnlEBRJwT.exeGet hashmaliciousBrowse
                                                                                                              • 104.17.63.50
                                                                                                              T4QllcPRsl.exeGet hashmaliciousBrowse
                                                                                                              • 104.21.6.252
                                                                                                              Telex_Copy.htmlGet hashmaliciousBrowse
                                                                                                              • 104.16.18.94
                                                                                                              b304a312_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                                              • 104.26.12.31
                                                                                                              Ha11NppGrb.exeGet hashmaliciousBrowse
                                                                                                              • 104.21.85.176
                                                                                                              Wh00Ny9HXk.exeGet hashmaliciousBrowse
                                                                                                              • 172.67.188.154
                                                                                                              ZRpmP5qEC1.exeGet hashmaliciousBrowse
                                                                                                              • 172.67.188.154
                                                                                                              NIxm9vbD6u.exeGet hashmaliciousBrowse
                                                                                                              • 104.17.62.50
                                                                                                              Setup.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              4G842SDA.exeGet hashmaliciousBrowse
                                                                                                              • 172.67.188.154
                                                                                                              Bestellen.exeGet hashmaliciousBrowse
                                                                                                              • 172.67.208.174
                                                                                                              PR#270473.exeGet hashmaliciousBrowse
                                                                                                              • 104.16.13.194
                                                                                                              VM_04_28_22.HTMGet hashmaliciousBrowse
                                                                                                              • 104.18.11.207
                                                                                                              SkKcQaHEB8.exeGet hashmaliciousBrowse
                                                                                                              • 162.159.130.233
                                                                                                              Halkbank_Ekstre_20210426_080203_744632.pdf.exeGet hashmaliciousBrowse
                                                                                                              • 172.67.188.154
                                                                                                              Aeon Viet Nam Co.,Ltd.docGet hashmaliciousBrowse
                                                                                                              • 172.67.188.154
                                                                                                              shipment # 46-2021.jpg.exeGet hashmaliciousBrowse
                                                                                                              • 172.67.200.16
                                                                                                              Bank Remittance Copy0572001. PDF.exeGet hashmaliciousBrowse
                                                                                                              • 172.67.188.154

                                                                                                              JA3 Fingerprints

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                              54328bd36c14bd82ddaa0c04b25ed9adb304a312_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                                              • 104.21.19.200
                                                                                                              Wh00Ny9HXk.exeGet hashmaliciousBrowse
                                                                                                              • 104.21.19.200
                                                                                                              ZRpmP5qEC1.exeGet hashmaliciousBrowse
                                                                                                              • 104.21.19.200
                                                                                                              Halkbank_Ekstre_20210426_080203_744632.pdf.exeGet hashmaliciousBrowse
                                                                                                              • 104.21.19.200
                                                                                                              HBS_5012306171.docGet hashmaliciousBrowse
                                                                                                              • 104.21.19.200
                                                                                                              Aeon Viet Nam Co.,Ltd.docGet hashmaliciousBrowse
                                                                                                              • 104.21.19.200
                                                                                                              5314ae13_by_Libranalysis.docGet hashmaliciousBrowse
                                                                                                              • 104.21.19.200
                                                                                                              SOA,.exeGet hashmaliciousBrowse
                                                                                                              • 104.21.19.200
                                                                                                              vN55fSfVUF.exeGet hashmaliciousBrowse
                                                                                                              • 104.21.19.200
                                                                                                              867353735-2021 Presentation Details.vbsGet hashmaliciousBrowse
                                                                                                              • 104.21.19.200
                                                                                                              PANTA,xlx.exeGet hashmaliciousBrowse
                                                                                                              • 104.21.19.200
                                                                                                              ORIENTAL -COMMERCIAL INVOICE.pdf.exeGet hashmaliciousBrowse
                                                                                                              • 104.21.19.200
                                                                                                              kVXWdr5oFQ.exeGet hashmaliciousBrowse
                                                                                                              • 104.21.19.200
                                                                                                              D5PVG3MX.exeGet hashmaliciousBrowse
                                                                                                              • 104.21.19.200
                                                                                                              FACTURA.exeGet hashmaliciousBrowse
                                                                                                              • 104.21.19.200
                                                                                                              APEw50m3sh.exeGet hashmaliciousBrowse
                                                                                                              • 104.21.19.200
                                                                                                              G3d6OlXuMl.exeGet hashmaliciousBrowse
                                                                                                              • 104.21.19.200
                                                                                                              EgxPhIz7wa.exeGet hashmaliciousBrowse
                                                                                                              • 104.21.19.200
                                                                                                              PgiRDH1NyO.exeGet hashmaliciousBrowse
                                                                                                              • 104.21.19.200

                                                                                                              Dropped Files

                                                                                                              No context

                                                                                                              Created / dropped Files

                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\medline PO No. 9100002286.exe.log
                                                                                                              Process:C:\Users\user\Desktop\medline PO No. 9100002286.exe
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:modified
                                                                                                              Size (bytes):1314
                                                                                                              Entropy (8bit):5.350128552078965
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                                                              MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                                                              SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                                                              SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                                                              SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                                                              Malicious:true
                                                                                                              Reputation:high, very likely benign file
                                                                                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                                                              C:\Users\user\AppData\Local\Temp\tmp7588.tmp
                                                                                                              Process:C:\Users\user\Desktop\medline PO No. 9100002286.exe
                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1657
                                                                                                              Entropy (8bit):5.171369275365613
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBcOtn:cbhH7MlNQ8/rydbz9I3YODOLNdq3So
                                                                                                              MD5:611807E0D7660C5D5B4ED30DA3C02D9E
                                                                                                              SHA1:F76D30B32841CE05D077200904758C0C243130A1
                                                                                                              SHA-256:80654E2F9CA0173B0A3427E5D3BE2A2C41ECDFDDDF67A5E395B793D63FC504D9
                                                                                                              SHA-512:D53C54489D50D012822A26F88C0ECEA9FE0CDF273C06FDCC96A93045314398E0E40453FF5860C5421481D368D88177BDD8A5A6FBBD7DEC45034946DEDCE16FEA
                                                                                                              Malicious:true
                                                                                                              Reputation:low
                                                                                                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv
                                                                                                              C:\Users\user\AppData\Roaming\RDdkJkTI.exe
                                                                                                              Process:C:\Users\user\Desktop\medline PO No. 9100002286.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):541184
                                                                                                              Entropy (8bit):7.797550711328208
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12288:uyJSRBzuPQdqGeRwkA3PiJ8rzrDONmI1/PIKSBNdYTvA:ZJr8qG9pA8mUI13IdSA
                                                                                                              MD5:3B4740623C70111CF16CD73E2CE7E1E5
                                                                                                              SHA1:CADDFF5529C85F69A942A7436EDECD6122A16AC1
                                                                                                              SHA-256:B20B1C9C785100E0E18623C7F34843A82E066F0F91AF93410654733C9E7E4513
                                                                                                              SHA-512:1CF57588A3A5CB0301A9231C3751316A283E7E052098D78347894215CF90ACBD74917BAAEF1D47A07BEC704FD5DF2A2811CE2E16D6E51F6A35A8B820082F8696
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                              Reputation:low
                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e[.`.................,...........K... ........@.. ....................................@.................................DK..W....`............................................................................... ............... ..H............text....+... ...,.................. ..`.rsrc........`......................@..@.reloc...............@..............@..B.................K......H.......ln..............\................................................0............(....(..........(.....o.....*.....................(.......(.......(.......(.......(.....*.N..(....o....(.....*N..(....o....(.....*&..(.....*...s.........s.........s.........s.........s.........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.................,.........o....+....9....~.........,2~...
                                                                                                              C:\Users\user\AppData\Roaming\RDdkJkTI.exe:Zone.Identifier
                                                                                                              Process:C:\Users\user\Desktop\medline PO No. 9100002286.exe
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):26
                                                                                                              Entropy (8bit):3.95006375643621
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:ggPYV:rPYV
                                                                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                              Malicious:true
                                                                                                              Reputation:high, very likely benign file
                                                                                                              Preview: [ZoneTransfer]....ZoneId=0

                                                                                                              Static File Info

                                                                                                              General

                                                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                              Entropy (8bit):7.797550711328208
                                                                                                              TrID:
                                                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                              • Windows Screen Saver (13104/52) 0.07%
                                                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                              File name:medline PO No. 9100002286.exe
                                                                                                              File size:541184
                                                                                                              MD5:3b4740623c70111cf16cd73e2ce7e1e5
                                                                                                              SHA1:caddff5529c85f69a942a7436edecd6122a16ac1
                                                                                                              SHA256:b20b1c9c785100e0e18623c7f34843a82e066f0f91af93410654733c9e7e4513
                                                                                                              SHA512:1cf57588a3a5cb0301a9231c3751316a283e7e052098d78347894215cf90acbd74917baaef1d47a07bec704fd5df2a2811ce2e16d6e51f6a35a8b820082f8696
                                                                                                              SSDEEP:12288:uyJSRBzuPQdqGeRwkA3PiJ8rzrDONmI1/PIKSBNdYTvA:ZJr8qG9pA8mUI13IdSA
                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e[.`.................,...........K... ........@.. ....................................@................................

                                                                                                              File Icon

                                                                                                              Icon Hash:00828e8e8686b000

                                                                                                              Static PE Info

                                                                                                              General

                                                                                                              Entrypoint:0x484b9e
                                                                                                              Entrypoint Section:.text
                                                                                                              Digitally signed:false
                                                                                                              Imagebase:0x400000
                                                                                                              Subsystem:windows gui
                                                                                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                              Time Stamp:0x60895B65 [Wed Apr 28 12:56:05 2021 UTC]
                                                                                                              TLS Callbacks:
                                                                                                              CLR (.Net) Version:v4.0.30319
                                                                                                              OS Version Major:4
                                                                                                              OS Version Minor:0
                                                                                                              File Version Major:4
                                                                                                              File Version Minor:0
                                                                                                              Subsystem Version Major:4
                                                                                                              Subsystem Version Minor:0
                                                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                              Entrypoint Preview

                                                                                                              Instruction
                                                                                                              jmp dword ptr [00402000h]
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al

                                                                                                              Data Directories

                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x84b440x57.text
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x860000x1200.rsrc
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x880000xc.reloc
                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                              Sections

                                                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                              .text0x20000x82ba40x82c00False0.877963297682data7.81158493919IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                              .rsrc0x860000x12000x1200False0.37890625data4.92405193582IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                              .reloc0x880000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                              Resources

                                                                                                              NameRVASizeTypeLanguageCountry
                                                                                                              RT_VERSION0x860900x368data
                                                                                                              RT_MANIFEST0x864080xd25XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

                                                                                                              Imports

                                                                                                              DLLImport
                                                                                                              mscoree.dll_CorExeMain

                                                                                                              Version Infos

                                                                                                              DescriptionData
                                                                                                              Translation0x0000 0x04b0
                                                                                                              LegalCopyrightGerH
                                                                                                              Assembly Version1.0.0.0
                                                                                                              InternalNameAssemblyFlagsAttribute.exe
                                                                                                              FileVersion1.0.0.0
                                                                                                              CompanyNameGerH
                                                                                                              LegalTrademarks
                                                                                                              Comments
                                                                                                              ProductNameOptionen auf Futures
                                                                                                              ProductVersion1.0.0.0
                                                                                                              FileDescriptionOptionenFutures
                                                                                                              OriginalFilenameAssemblyFlagsAttribute.exe

                                                                                                              Network Behavior

                                                                                                              Network Port Distribution

                                                                                                              TCP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Apr 28, 2021 21:11:20.115983963 CEST4971180192.168.2.7216.146.43.71
                                                                                                              Apr 28, 2021 21:11:20.176475048 CEST8049711216.146.43.71192.168.2.7
                                                                                                              Apr 28, 2021 21:11:20.176697016 CEST4971180192.168.2.7216.146.43.71
                                                                                                              Apr 28, 2021 21:11:20.178013086 CEST4971180192.168.2.7216.146.43.71
                                                                                                              Apr 28, 2021 21:11:20.238322973 CEST8049711216.146.43.71192.168.2.7
                                                                                                              Apr 28, 2021 21:11:20.238352060 CEST8049711216.146.43.71192.168.2.7
                                                                                                              Apr 28, 2021 21:11:20.238393068 CEST8049711216.146.43.71192.168.2.7
                                                                                                              Apr 28, 2021 21:11:20.238504887 CEST4971180192.168.2.7216.146.43.71
                                                                                                              Apr 28, 2021 21:11:20.241877079 CEST4971180192.168.2.7216.146.43.71
                                                                                                              Apr 28, 2021 21:11:20.302269936 CEST8049711216.146.43.71192.168.2.7
                                                                                                              Apr 28, 2021 21:11:20.391158104 CEST4971280192.168.2.7216.146.43.71
                                                                                                              Apr 28, 2021 21:11:20.453505039 CEST8049712216.146.43.71192.168.2.7
                                                                                                              Apr 28, 2021 21:11:20.456317902 CEST4971280192.168.2.7216.146.43.71
                                                                                                              Apr 28, 2021 21:11:20.796694994 CEST4971280192.168.2.7216.146.43.71
                                                                                                              Apr 28, 2021 21:11:20.857218027 CEST8049712216.146.43.71192.168.2.7
                                                                                                              Apr 28, 2021 21:11:20.857244015 CEST8049712216.146.43.71192.168.2.7
                                                                                                              Apr 28, 2021 21:11:20.857251883 CEST8049712216.146.43.71192.168.2.7
                                                                                                              Apr 28, 2021 21:11:20.857429028 CEST4971280192.168.2.7216.146.43.71
                                                                                                              Apr 28, 2021 21:11:20.880544901 CEST4971280192.168.2.7216.146.43.71
                                                                                                              Apr 28, 2021 21:11:20.941931963 CEST8049712216.146.43.71192.168.2.7
                                                                                                              Apr 28, 2021 21:11:24.328501940 CEST49715443192.168.2.7104.21.19.200
                                                                                                              Apr 28, 2021 21:11:24.369596958 CEST44349715104.21.19.200192.168.2.7
                                                                                                              Apr 28, 2021 21:11:24.370045900 CEST49715443192.168.2.7104.21.19.200
                                                                                                              Apr 28, 2021 21:11:24.441452026 CEST49715443192.168.2.7104.21.19.200
                                                                                                              Apr 28, 2021 21:11:24.483177900 CEST44349715104.21.19.200192.168.2.7
                                                                                                              Apr 28, 2021 21:11:24.484656096 CEST44349715104.21.19.200192.168.2.7
                                                                                                              Apr 28, 2021 21:11:24.484680891 CEST44349715104.21.19.200192.168.2.7
                                                                                                              Apr 28, 2021 21:11:24.485078096 CEST49715443192.168.2.7104.21.19.200
                                                                                                              Apr 28, 2021 21:11:24.506761074 CEST49715443192.168.2.7104.21.19.200
                                                                                                              Apr 28, 2021 21:11:24.548621893 CEST44349715104.21.19.200192.168.2.7
                                                                                                              Apr 28, 2021 21:11:24.548865080 CEST44349715104.21.19.200192.168.2.7
                                                                                                              Apr 28, 2021 21:11:24.644949913 CEST49715443192.168.2.7104.21.19.200
                                                                                                              Apr 28, 2021 21:11:24.685909033 CEST44349715104.21.19.200192.168.2.7
                                                                                                              Apr 28, 2021 21:11:24.717489004 CEST44349715104.21.19.200192.168.2.7
                                                                                                              Apr 28, 2021 21:11:24.717514038 CEST44349715104.21.19.200192.168.2.7
                                                                                                              Apr 28, 2021 21:11:24.717679977 CEST49715443192.168.2.7104.21.19.200
                                                                                                              Apr 28, 2021 21:13:04.759227037 CEST49715443192.168.2.7104.21.19.200
                                                                                                              Apr 28, 2021 21:13:04.803229094 CEST44349715104.21.19.200192.168.2.7
                                                                                                              Apr 28, 2021 21:13:04.805624962 CEST49715443192.168.2.7104.21.19.200

                                                                                                              UDP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Apr 28, 2021 21:10:57.438134909 CEST6245253192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:10:57.506401062 CEST53624528.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:10:57.563055992 CEST5782053192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:10:57.611686945 CEST53578208.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:10:58.268352032 CEST5084853192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:10:58.317107916 CEST53508488.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:10:59.056355000 CEST6124253192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:10:59.105036020 CEST53612428.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:11:00.179378986 CEST5856253192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:11:00.236893892 CEST53585628.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:11:00.644901037 CEST5659053192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:11:00.712796926 CEST53565908.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:11:00.985234022 CEST6050153192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:11:01.085599899 CEST53605018.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:11:02.377239943 CEST5377553192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:11:02.428795099 CEST53537758.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:11:03.645438910 CEST5183753192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:11:03.697170973 CEST53518378.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:11:04.752837896 CEST5541153192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:11:04.803514957 CEST53554118.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:11:06.230861902 CEST6366853192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:11:06.279673100 CEST53636688.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:11:08.663935900 CEST5464053192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:11:08.712934971 CEST53546408.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:11:09.916632891 CEST5873953192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:11:09.967469931 CEST53587398.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:11:10.848865032 CEST6033853192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:11:10.903784990 CEST53603388.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:11:11.815485954 CEST5871753192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:11:11.876993895 CEST53587178.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:11:12.792670012 CEST5976253192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:11:12.841633081 CEST53597628.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:11:19.960777998 CEST5432953192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:11:20.010729074 CEST53543298.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:11:20.034420013 CEST5805253192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:11:20.083317995 CEST53580528.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:11:22.579857111 CEST5400853192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:11:22.654314995 CEST53540088.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:11:23.217123032 CEST5945153192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:11:23.265841007 CEST53594518.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:11:24.261792898 CEST5291453192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:11:24.325534105 CEST53529148.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:11:24.366417885 CEST6456953192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:11:24.418054104 CEST53645698.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:11:25.744920969 CEST5281653192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:11:25.795279026 CEST53528168.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:11:26.925000906 CEST5078153192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:11:26.973722935 CEST53507818.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:11:28.069658041 CEST5423053192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:11:28.127990961 CEST53542308.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:11:29.516875982 CEST5491153192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:11:29.567760944 CEST53549118.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:11:31.083817959 CEST4995853192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:11:31.132960081 CEST53499588.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:11:32.025748014 CEST5086053192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:11:32.085077047 CEST53508608.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:11:34.807925940 CEST5045253192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:11:34.858412981 CEST53504528.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:11:46.750969887 CEST5973053192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:11:46.818821907 CEST53597308.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:11:52.940762997 CEST5931053192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:11:53.003803015 CEST53593108.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:12:17.373888016 CEST5191953192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:12:17.425535917 CEST53519198.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:12:26.374058008 CEST6429653192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:12:26.433932066 CEST53642968.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:12:41.263911963 CEST5668053192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:12:41.369029999 CEST53566808.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:12:41.946830988 CEST5882053192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:12:42.006055117 CEST53588208.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:12:42.489712000 CEST6098353192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:12:42.565681934 CEST53609838.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:12:42.612642050 CEST4924753192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:12:42.676970005 CEST53492478.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:12:43.166747093 CEST5228653192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:12:43.269311905 CEST53522868.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:12:43.896496058 CEST5606453192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:12:43.957741976 CEST53560648.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:12:44.773999929 CEST6374453192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:12:44.872999907 CEST53637448.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:12:45.406490088 CEST6145753192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:12:45.456199884 CEST53614578.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:12:46.351118088 CEST5836753192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:12:46.408143997 CEST53583678.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:12:48.908734083 CEST6059953192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:12:48.960495949 CEST53605998.8.8.8192.168.2.7
                                                                                                              Apr 28, 2021 21:12:49.472553968 CEST5957153192.168.2.78.8.8.8
                                                                                                              Apr 28, 2021 21:12:49.530916929 CEST53595718.8.8.8192.168.2.7

                                                                                                              DNS Queries

                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                              Apr 28, 2021 21:11:19.960777998 CEST192.168.2.78.8.8.80x41abStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                                                                              Apr 28, 2021 21:11:20.034420013 CEST192.168.2.78.8.8.80xb2aeStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                                                                              Apr 28, 2021 21:11:24.261792898 CEST192.168.2.78.8.8.80xcc12Standard query (0)freegeoip.appA (IP address)IN (0x0001)

                                                                                                              DNS Answers

                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                              Apr 28, 2021 21:11:20.010729074 CEST8.8.8.8192.168.2.70x41abNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                                                                              Apr 28, 2021 21:11:20.010729074 CEST8.8.8.8192.168.2.70x41abNo error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                                                                              Apr 28, 2021 21:11:20.010729074 CEST8.8.8.8192.168.2.70x41abNo error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                                                                                                              Apr 28, 2021 21:11:20.010729074 CEST8.8.8.8192.168.2.70x41abNo error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                                                                              Apr 28, 2021 21:11:20.010729074 CEST8.8.8.8192.168.2.70x41abNo error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                                                                                                              Apr 28, 2021 21:11:20.010729074 CEST8.8.8.8192.168.2.70x41abNo error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                                                                                                              Apr 28, 2021 21:11:20.083317995 CEST8.8.8.8192.168.2.70xb2aeNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                                                                              Apr 28, 2021 21:11:20.083317995 CEST8.8.8.8192.168.2.70xb2aeNo error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                                                                                                              Apr 28, 2021 21:11:20.083317995 CEST8.8.8.8192.168.2.70xb2aeNo error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                                                                                                              Apr 28, 2021 21:11:20.083317995 CEST8.8.8.8192.168.2.70xb2aeNo error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                                                                                                              Apr 28, 2021 21:11:20.083317995 CEST8.8.8.8192.168.2.70xb2aeNo error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                                                                              Apr 28, 2021 21:11:20.083317995 CEST8.8.8.8192.168.2.70xb2aeNo error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                                                                              Apr 28, 2021 21:11:24.325534105 CEST8.8.8.8192.168.2.70xcc12No error (0)freegeoip.app104.21.19.200A (IP address)IN (0x0001)
                                                                                                              Apr 28, 2021 21:11:24.325534105 CEST8.8.8.8192.168.2.70xcc12No error (0)freegeoip.app172.67.188.154A (IP address)IN (0x0001)

                                                                                                              HTTP Request Dependency Graph

                                                                                                              • checkip.dyndns.org

                                                                                                              HTTP Packets

                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              0192.168.2.749711216.146.43.7180C:\Users\user\Desktop\medline PO No. 9100002286.exe
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Apr 28, 2021 21:11:20.178013086 CEST1378OUTGET / HTTP/1.1
                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                              Host: checkip.dyndns.org
                                                                                                              Connection: Keep-Alive
                                                                                                              Apr 28, 2021 21:11:20.238352060 CEST1379INHTTP/1.1 200 OK
                                                                                                              Content-Type: text/html
                                                                                                              Server: DynDNS-CheckIP/1.0.1
                                                                                                              Connection: close
                                                                                                              Cache-Control: no-cache
                                                                                                              Pragma: no-cache
                                                                                                              Content-Length: 102
                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.3</body></html>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              1192.168.2.749712216.146.43.7180C:\Users\user\Desktop\medline PO No. 9100002286.exe
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Apr 28, 2021 21:11:20.796694994 CEST1379OUTGET / HTTP/1.1
                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                              Host: checkip.dyndns.org
                                                                                                              Apr 28, 2021 21:11:20.857244015 CEST1380INHTTP/1.1 200 OK
                                                                                                              Content-Type: text/html
                                                                                                              Server: DynDNS-CheckIP/1.0.1
                                                                                                              Connection: close
                                                                                                              Cache-Control: no-cache
                                                                                                              Pragma: no-cache
                                                                                                              Content-Length: 102
                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.3</body></html>


                                                                                                              HTTPS Packets

                                                                                                              TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                              Apr 28, 2021 21:11:24.484680891 CEST104.21.19.200443192.168.2.749715CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 10 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Tue Aug 10 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                                                                              CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

                                                                                                              Code Manipulations

                                                                                                              Statistics

                                                                                                              CPU Usage

                                                                                                              Click to jump to process

                                                                                                              Memory Usage

                                                                                                              Click to jump to process

                                                                                                              High Level Behavior Distribution

                                                                                                              Click to dive into process behavior distribution

                                                                                                              Behavior

                                                                                                              Click to jump to process

                                                                                                              System Behavior

                                                                                                              General

                                                                                                              Start time:21:11:03
                                                                                                              Start date:28/04/2021
                                                                                                              Path:C:\Users\user\Desktop\medline PO No. 9100002286.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Users\user\Desktop\medline PO No. 9100002286.exe'
                                                                                                              Imagebase:0x400000
                                                                                                              File size:541184 bytes
                                                                                                              MD5 hash:3B4740623C70111CF16CD73E2CE7E1E5
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000000.00000002.259808275.0000000003829000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.259808275.0000000003829000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              Reputation:low

                                                                                                              General

                                                                                                              Start time:21:11:14
                                                                                                              Start date:28/04/2021
                                                                                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RDdkJkTI' /XML 'C:\Users\user\AppData\Local\Temp\tmp7588.tmp'
                                                                                                              Imagebase:0x1100000
                                                                                                              File size:185856 bytes
                                                                                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high

                                                                                                              General

                                                                                                              Start time:21:11:15
                                                                                                              Start date:28/04/2021
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff774ee0000
                                                                                                              File size:625664 bytes
                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high

                                                                                                              General

                                                                                                              Start time:21:11:15
                                                                                                              Start date:28/04/2021
                                                                                                              Path:C:\Users\user\Desktop\medline PO No. 9100002286.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Users\user\Desktop\medline PO No. 9100002286.exe
                                                                                                              Imagebase:0x9b0000
                                                                                                              File size:541184 bytes
                                                                                                              MD5 hash:3B4740623C70111CF16CD73E2CE7E1E5
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.505992818.0000000002DD1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000006.00000002.501104830.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.501104830.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.506385916.0000000002E3F000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              Reputation:low

                                                                                                              Disassembly

                                                                                                              Code Analysis

                                                                                                              Reset < >

                                                                                                                Executed Functions

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 435f4c3243157c518100077258fb5301ba2c6acac4686124c0f5a48ba4264269
                                                                                                                • Instruction ID: 61c3321a86db304cae3eb1c3365ba573df0ab14a3551fd23f8eae246bda7911c
                                                                                                                • Opcode Fuzzy Hash: 435f4c3243157c518100077258fb5301ba2c6acac4686124c0f5a48ba4264269
                                                                                                                • Instruction Fuzzy Hash: 5ED1AB72B112058FEB19EB76C450BAFB7EBAF88700F15846DD10A8B295DB34E906CB51
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8c2c5c84a1b80c7e80cbf2a1de609eca0538ca36536f8a8fb651a226dba0a580
                                                                                                                • Instruction ID: 08ce34ef6377951d32abb8ac2faa15d64a9bf7d054067c458480e408ed9f1437
                                                                                                                • Opcode Fuzzy Hash: 8c2c5c84a1b80c7e80cbf2a1de609eca0538ca36536f8a8fb651a226dba0a580
                                                                                                                • Instruction Fuzzy Hash: 43C1AC71B152448FDB18DBA4D594BAEBBF2AF89300F2180A9E506EB7A1CB34DD05CB51
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 3c54cf5dc0d7ac17bf76489491b440d4f5475b7ae082de2021bd03d15d0c47c9
                                                                                                                • Instruction ID: 5dde85f873cf3330ae63a27fe7858f49637e766a62be0fbd3032ebcca9711196
                                                                                                                • Opcode Fuzzy Hash: 3c54cf5dc0d7ac17bf76489491b440d4f5475b7ae082de2021bd03d15d0c47c9
                                                                                                                • Instruction Fuzzy Hash: 92115731D182198FDB14CFA5C418BFEBBF5AF4E311F15906AD415B3290DB789984CB68
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • GetCurrentProcess.KERNEL32 ref: 02606BF0
                                                                                                                • GetCurrentThread.KERNEL32 ref: 02606C2D
                                                                                                                • GetCurrentProcess.KERNEL32 ref: 02606C6A
                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 02606CC3
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.259074625.0000000002600000.00000040.00000001.sdmp, Offset: 02600000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: Current$ProcessThread
                                                                                                                • String ID:
                                                                                                                • API String ID: 2063062207-0
                                                                                                                • Opcode ID: 462c24a911f77966599ce716ce9fa9d1efdec2095a42df14a58a0d983ddd0aec
                                                                                                                • Instruction ID: aa3163e23ef75a5ecb9adbbb650e1bbf9e369ec2388d9fb57e3452489b98c7d0
                                                                                                                • Opcode Fuzzy Hash: 462c24a911f77966599ce716ce9fa9d1efdec2095a42df14a58a0d983ddd0aec
                                                                                                                • Instruction Fuzzy Hash: 7B5166B4A04648CFDB14CFA9D68879EBBF0EF48304F14849AE119A7390D7749844CF65
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • GetCurrentProcess.KERNEL32 ref: 02606BF0
                                                                                                                • GetCurrentThread.KERNEL32 ref: 02606C2D
                                                                                                                • GetCurrentProcess.KERNEL32 ref: 02606C6A
                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 02606CC3
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.259074625.0000000002600000.00000040.00000001.sdmp, Offset: 02600000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: Current$ProcessThread
                                                                                                                • String ID:
                                                                                                                • API String ID: 2063062207-0
                                                                                                                • Opcode ID: 14a5b05ed8e52c02b17c980d09ad174d0768f28ba1cd5a663b7b45ca039c8a9d
                                                                                                                • Instruction ID: f67b2b50ba9b8c847e8c8acba36703c8ccd923465767956c294ad928b2db7f8b
                                                                                                                • Opcode Fuzzy Hash: 14a5b05ed8e52c02b17c980d09ad174d0768f28ba1cd5a663b7b45ca039c8a9d
                                                                                                                • Instruction Fuzzy Hash: F95156B4A04649CFDB14CFA9D68879EBBF4EF48304F208499E519A3390D7749844CF65
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0260BE0E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.259074625.0000000002600000.00000040.00000001.sdmp, Offset: 02600000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule
                                                                                                                • String ID:
                                                                                                                • API String ID: 4139908857-0
                                                                                                                • Opcode ID: 44d645c3bc862448ffd9dac833bc2a376a971783440f02aad6f96eb14bc9391a
                                                                                                                • Instruction ID: 99d09233cd21a4072431d5aa4558dce6e1fb1af764430b462adba271e420846c
                                                                                                                • Opcode Fuzzy Hash: 44d645c3bc862448ffd9dac833bc2a376a971783440f02aad6f96eb14bc9391a
                                                                                                                • Instruction Fuzzy Hash: 1B812570A00B058FD728DF6AC49475BBBF1BF88208F008A2DD596D7B80DB75E9068F91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0260DD8A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.259074625.0000000002600000.00000040.00000001.sdmp, Offset: 02600000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: CreateWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 716092398-0
                                                                                                                • Opcode ID: 46a7a9fb2c692635bfc8764c0130103e449bd18844e54c08acd52b198c4d9f9d
                                                                                                                • Instruction ID: fb9199decb6067d3f4e0ef3510ac11740d547d532c8e0f53ad73df58690e4f91
                                                                                                                • Opcode Fuzzy Hash: 46a7a9fb2c692635bfc8764c0130103e449bd18844e54c08acd52b198c4d9f9d
                                                                                                                • Instruction Fuzzy Hash: 6051C0B1D00349DFDB18CF99D884ADEBBB5FF48314F24822AE819AB250D7B49945CF90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0260DD8A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.259074625.0000000002600000.00000040.00000001.sdmp, Offset: 02600000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: CreateWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 716092398-0
                                                                                                                • Opcode ID: 98396179ff549b8b6c15123742e2b1c5068b6d698d650c9e40f47b1d8ce98ac2
                                                                                                                • Instruction ID: b5dfe2ff219b9db00290089a0c76b79a0053bfc5c79532c9f506bc957c5804c5
                                                                                                                • Opcode Fuzzy Hash: 98396179ff549b8b6c15123742e2b1c5068b6d698d650c9e40f47b1d8ce98ac2
                                                                                                                • Instruction Fuzzy Hash: 1C41BFB1D10309DFDB18CF99C884ADEBBB5FF48314F24862AE819AB250D7749945CF90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02606E3F
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.259074625.0000000002600000.00000040.00000001.sdmp, Offset: 02600000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: DuplicateHandle
                                                                                                                • String ID:
                                                                                                                • API String ID: 3793708945-0
                                                                                                                • Opcode ID: fa4fd317124d0733f1ac75b2aeb3ec79d4a5d0e879402d5ff1213f96504e7f76
                                                                                                                • Instruction ID: 0cabc1491ec7e7b11581c7e3b45ca9d3c2b5c743ef86ce93f5daabfdd4f78e97
                                                                                                                • Opcode Fuzzy Hash: fa4fd317124d0733f1ac75b2aeb3ec79d4a5d0e879402d5ff1213f96504e7f76
                                                                                                                • Instruction Fuzzy Hash: 2F418A76900248AFDB01CF99D884AEEBFF9FB49314F04805AEA14A7361D774A954DFA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02606E3F
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.259074625.0000000002600000.00000040.00000001.sdmp, Offset: 02600000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: DuplicateHandle
                                                                                                                • String ID:
                                                                                                                • API String ID: 3793708945-0
                                                                                                                • Opcode ID: 29bb1726246f67bb9f0f6253009e6dad58fe997c8a07a99652f9bdde1687ddc2
                                                                                                                • Instruction ID: eb55bcd5e0454d8c32318aeb562c6576cb3a25eaa2568b8fd6663683c5deb3be
                                                                                                                • Opcode Fuzzy Hash: 29bb1726246f67bb9f0f6253009e6dad58fe997c8a07a99652f9bdde1687ddc2
                                                                                                                • Instruction Fuzzy Hash: E72105B59003489FDB10CFA9D584AEEFBF8FB48324F14845AE954A3350D378A955CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02606E3F
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.259074625.0000000002600000.00000040.00000001.sdmp, Offset: 02600000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: DuplicateHandle
                                                                                                                • String ID:
                                                                                                                • API String ID: 3793708945-0
                                                                                                                • Opcode ID: 60a7964724c35ee5fedf5d6a821bde5fb66a08c21f1086f4557b29b284096f3b
                                                                                                                • Instruction ID: 07499e6ce88fa587554658040a2e9233adf0ef1afcfd282b88d5acefe56bbc5f
                                                                                                                • Opcode Fuzzy Hash: 60a7964724c35ee5fedf5d6a821bde5fb66a08c21f1086f4557b29b284096f3b
                                                                                                                • Instruction Fuzzy Hash: EE21C2B59003489FDB10CFA9D984ADEBBF8FB48324F14841AE954A3350D378A954DFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0260BE89,00000800,00000000,00000000), ref: 0260C09A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.259074625.0000000002600000.00000040.00000001.sdmp, Offset: 02600000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: LibraryLoad
                                                                                                                • String ID:
                                                                                                                • API String ID: 1029625771-0
                                                                                                                • Opcode ID: b4639eb5ca0833fccb00518da603c462b05255fb621a056d682a5369d3454514
                                                                                                                • Instruction ID: cef809fdedd228b6b983c6281811645dbee6e8ad40c7dc1e064a10d5144bc45e
                                                                                                                • Opcode Fuzzy Hash: b4639eb5ca0833fccb00518da603c462b05255fb621a056d682a5369d3454514
                                                                                                                • Instruction Fuzzy Hash: AB11F2B69002498FDB14CF9AD888BDEFBF4EB88314F15852AD515A7240C375A945CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0260BE89,00000800,00000000,00000000), ref: 0260C09A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.259074625.0000000002600000.00000040.00000001.sdmp, Offset: 02600000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: LibraryLoad
                                                                                                                • String ID:
                                                                                                                • API String ID: 1029625771-0
                                                                                                                • Opcode ID: a6ebedcfc60e2140206f049601b5ae4befe150bef12175fe9ff038cde48f111f
                                                                                                                • Instruction ID: 6d380558bd2566c515c6a46ae7d0ef70fbefff4807cf3dcfb7d8967749941fb6
                                                                                                                • Opcode Fuzzy Hash: a6ebedcfc60e2140206f049601b5ae4befe150bef12175fe9ff038cde48f111f
                                                                                                                • Instruction Fuzzy Hash: 811103B69002488FDB14CF9AD488B9FFBF4EB48354F00852AE516B7640C3B5A545CFA5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0260BE0E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.259074625.0000000002600000.00000040.00000001.sdmp, Offset: 02600000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule
                                                                                                                • String ID:
                                                                                                                • API String ID: 4139908857-0
                                                                                                                • Opcode ID: eb0b0bd46bcfca1a174e689a159da35508606feccd0a8d93d7199b9b90f9e932
                                                                                                                • Instruction ID: d7b3ce84df6be86c121ca3423784c810f8777228cd9e79034370fc75a35d796f
                                                                                                                • Opcode Fuzzy Hash: eb0b0bd46bcfca1a174e689a159da35508606feccd0a8d93d7199b9b90f9e932
                                                                                                                • Instruction Fuzzy Hash: 93110FB5D002498FDB14CF9AC484BDFFBF4EB88228F14842AD929A7640C378A545CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • SetWindowLongW.USER32(?,?,?), ref: 0260DF1D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.259074625.0000000002600000.00000040.00000001.sdmp, Offset: 02600000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: LongWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 1378638983-0
                                                                                                                • Opcode ID: 409c9614c63b8282d8fc9850e6b88ce82de955b60da180249894fc9442b43865
                                                                                                                • Instruction ID: 950431a06d57a88b9f7a2579c9b84ac628f483cc068f95434c72e35e064dd3ae
                                                                                                                • Opcode Fuzzy Hash: 409c9614c63b8282d8fc9850e6b88ce82de955b60da180249894fc9442b43865
                                                                                                                • Instruction Fuzzy Hash: DB1103B59002098FDB10CF99D589BDEFBF4EB48324F10851AE919A7740C374A945CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • SetWindowLongW.USER32(?,?,?), ref: 0260DF1D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.259074625.0000000002600000.00000040.00000001.sdmp, Offset: 02600000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: LongWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 1378638983-0
                                                                                                                • Opcode ID: cac7a1045ade3136218512cd3ce224b4c4b6fd79d0d136661a9a2177e7eff097
                                                                                                                • Instruction ID: 703a395c5d329ecce607df28588f531e7a8ee579b308800d0e17eb454100c904
                                                                                                                • Opcode Fuzzy Hash: cac7a1045ade3136218512cd3ce224b4c4b6fd79d0d136661a9a2177e7eff097
                                                                                                                • Instruction Fuzzy Hash: B311E2B59002499FDB10CF99D588BDFBBF8EB48324F10855AE959B7740C3B4A944CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.258376091.000000000097D000.00000040.00000001.sdmp, Offset: 0097D000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 9686b8e9b6618e47b7d61aec57c71947bdd1322d5531dc022336e7f143ce3e52
                                                                                                                • Instruction ID: 2f6861ae0e2d17034e427097a05d605f759d353ea695cc708ae97c0ab24028e6
                                                                                                                • Opcode Fuzzy Hash: 9686b8e9b6618e47b7d61aec57c71947bdd1322d5531dc022336e7f143ce3e52
                                                                                                                • Instruction Fuzzy Hash: 9E213AB2505240EFDB00DF10D9C0B26BB75FF94324F24C9A9E90D4B296C33AE856CBA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.258424379.000000000098D000.00000040.00000001.sdmp, Offset: 0098D000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b072e2a4b493236c65d4f7827681fdc6240c2eab89d1cd2fff7de089ff9d0337
                                                                                                                • Instruction ID: d1cc7bce72898a9e0bb931f13839501ab72aadf03c096391692e7a872cb30050
                                                                                                                • Opcode Fuzzy Hash: b072e2a4b493236c65d4f7827681fdc6240c2eab89d1cd2fff7de089ff9d0337
                                                                                                                • Instruction Fuzzy Hash: 5F213771504240DFDB14EF20D9C0B26BB65FB84314F20C9ADD8094B386C37AD807CB61
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.258424379.000000000098D000.00000040.00000001.sdmp, Offset: 0098D000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: de0ba18eca9645769c85ae64e732634d085768cf1239e23336d6f2e7d2c3b3fa
                                                                                                                • Instruction ID: 6830308e6f606878c13369fe886f1c75d1716b31e3bad2a3a36cec467f1b284b
                                                                                                                • Opcode Fuzzy Hash: de0ba18eca9645769c85ae64e732634d085768cf1239e23336d6f2e7d2c3b3fa
                                                                                                                • Instruction Fuzzy Hash: 0A2107B1505244EFDB05EF50D5C0F26BB65FB84314F24C9ADE9094B386C37AD846CB61
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.258424379.000000000098D000.00000040.00000001.sdmp, Offset: 0098D000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8f0067a84d8d20742df5bcc4db9dd6bfb542b04f52ca88cf9a2c1a9d55714e09
                                                                                                                • Instruction ID: b3650a04f33ebb7afca1d82c030053e3a8599cdd253974df9e67e44cbb9d89ec
                                                                                                                • Opcode Fuzzy Hash: 8f0067a84d8d20742df5bcc4db9dd6bfb542b04f52ca88cf9a2c1a9d55714e09
                                                                                                                • Instruction Fuzzy Hash: 21219F755093C08FCB12CF20D994B15BF71EB46314F29C5EAD8498B6A7C33AD80ACB62
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.258376091.000000000097D000.00000040.00000001.sdmp, Offset: 0097D000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b88a7ec900b8d9d152df82f6a6fdb144c596dfe53c5a765c19d03004c3cb1d32
                                                                                                                • Instruction ID: b8e5e0f15549683ccbb97dcdb1a23a35e1b6370ec39167ee123ae641ac3a8ea2
                                                                                                                • Opcode Fuzzy Hash: b88a7ec900b8d9d152df82f6a6fdb144c596dfe53c5a765c19d03004c3cb1d32
                                                                                                                • Instruction Fuzzy Hash: 5E11D376405280DFCB11CF10D5C4B16BF72FF94320F24C6A9D8080B666C33AE856CBA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.258424379.000000000098D000.00000040.00000001.sdmp, Offset: 0098D000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 4025d37efdfbce0e093f44a05613069a3d82dc03039e765c907437c890d8199e
                                                                                                                • Instruction ID: 405bd781013a11d8ca58d32771bf46eb0144549bf05105309c32ce60bfd8f560
                                                                                                                • Opcode Fuzzy Hash: 4025d37efdfbce0e093f44a05613069a3d82dc03039e765c907437c890d8199e
                                                                                                                • Instruction Fuzzy Hash: 5B118B75905280DFDB11DF14D5C4B15BBB1FB84324F28C6A9D8494B796C33AD84ACB61
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.258376091.000000000097D000.00000040.00000001.sdmp, Offset: 0097D000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 7777250d7ff099963df50942106659af68dc106249ec72d3a60433941c84f6a8
                                                                                                                • Instruction ID: b1539ad66999db67558ab8ca6b1fed87debd4f1d18129c8ce13a4a384b5eedd7
                                                                                                                • Opcode Fuzzy Hash: 7777250d7ff099963df50942106659af68dc106249ec72d3a60433941c84f6a8
                                                                                                                • Instruction Fuzzy Hash: 1801F7B200A3409EE7188E26C8C4B66FBECEF41724F18C85AED0C4B246C3B89844C6B1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.258376091.000000000097D000.00000040.00000001.sdmp, Offset: 0097D000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: bc68f015104b6a8f52987b57be1c9efe7e21a3fc6b33d397b4cdea49ef8ca96f
                                                                                                                • Instruction ID: 8ddbf853ad8d10ba6d855bd2eca69edf6d4b92b597df409b24e68fde095f027d
                                                                                                                • Opcode Fuzzy Hash: bc68f015104b6a8f52987b57be1c9efe7e21a3fc6b33d397b4cdea49ef8ca96f
                                                                                                                • Instruction Fuzzy Hash: 08F04FB64053449EE7148A16C9C4B62FBACEF55724F18C45AED485A286C3789844CAA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: c0b39db63b2e9e14d6ff235cab9a6042e02ba5952b266bcc601c3fcbc15c5b6a
                                                                                                                • Instruction ID: 5dfdd38fec85edd0bacbde1c0d372fbb9519326889774fed0ad8981a0781fa94
                                                                                                                • Opcode Fuzzy Hash: c0b39db63b2e9e14d6ff235cab9a6042e02ba5952b266bcc601c3fcbc15c5b6a
                                                                                                                • Instruction Fuzzy Hash: 2FF034B1E1434A9FDB44DFA9C801AAEBBF8FF08300F1145AAD908E7300E77096058BA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 094b4a2d14d7ef3c3e9eb59e8f7c7742c46fa05bfe5d82ba72c9030253592371
                                                                                                                • Instruction ID: 449fdd4814ca7d7061f0349e6208ac9e94f16dfe66a6d6afe3277319ba113deb
                                                                                                                • Opcode Fuzzy Hash: 094b4a2d14d7ef3c3e9eb59e8f7c7742c46fa05bfe5d82ba72c9030253592371
                                                                                                                • Instruction Fuzzy Hash: ACE0B6B2D50209DFD740EFB9C945A5EBBF5BF08700F1185A9D019E7311E7B496058F91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 43715c31d199c9ab5a0a1d2f8730656c31c64e1bd025412fdef3c61d4e7921d9
                                                                                                                • Instruction ID: 2bd6353b42b86db195a4e7004c95f1e4648823c9f50555ea1e6e251c7c941549
                                                                                                                • Opcode Fuzzy Hash: 43715c31d199c9ab5a0a1d2f8730656c31c64e1bd025412fdef3c61d4e7921d9
                                                                                                                • Instruction Fuzzy Hash: 4FD012372542085F4B80EB94E800D5277DDFF24700705C422E508CB121F621E575D751
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Non-executed Functions

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: M+B$M+B$M+B
                                                                                                                • API String ID: 0-1830865625
                                                                                                                • Opcode ID: f3d81672591eed810943864df60e992ca251bb1cd595c8a174d1874343147eab
                                                                                                                • Instruction ID: 3e82bd2f0478cbcb3e5c204e12985fbcdaf80265da1be8b1e11426d189fea55e
                                                                                                                • Opcode Fuzzy Hash: f3d81672591eed810943864df60e992ca251bb1cd595c8a174d1874343147eab
                                                                                                                • Instruction Fuzzy Hash: 44612AB1E2520ADBCB04CFA6D9959EEFBB2FF88300F148059D515B7214E774A681CF94
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: _C`M$`8l3
                                                                                                                • API String ID: 0-2265416962
                                                                                                                • Opcode ID: c5ac8794e967500c3b175a72b87a6f45238649f8fb225a445fee3f8fa9f8a1e1
                                                                                                                • Instruction ID: 3dc11bc6459fdaacda9082eb237051d56a554f61eb9089cf775e9ec700f31288
                                                                                                                • Opcode Fuzzy Hash: c5ac8794e967500c3b175a72b87a6f45238649f8fb225a445fee3f8fa9f8a1e1
                                                                                                                • Instruction Fuzzy Hash: 8E91F575E25219CFCB04CFAAD8855AEBBB2FF89300F20902AE415BB254D7749942CF94
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: M+B$M+B
                                                                                                                • API String ID: 0-590328333
                                                                                                                • Opcode ID: 5f2a61ee90a79b60be4b77b943102d008d1669e77d1c509a7a5ab98dfa0373e4
                                                                                                                • Instruction ID: db943dc0724f38bc4332571b7ac5a86a27345680ac323c0d537ee08c06ea02c1
                                                                                                                • Opcode Fuzzy Hash: 5f2a61ee90a79b60be4b77b943102d008d1669e77d1c509a7a5ab98dfa0373e4
                                                                                                                • Instruction Fuzzy Hash: 2C512B71E2420ADBCB04CFA6D4859EEFBF2FF88300F14806AD515A7254E774AA85CF95
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: 05p$Y|;!
                                                                                                                • API String ID: 0-221307175
                                                                                                                • Opcode ID: 34f81ffa86de3c32eaaf2a00cb7dbf19e306c115bab107bc230ea3da778daeb3
                                                                                                                • Instruction ID: edb4f5f5ab58b460820d98905f1f9370ced3f338a464540a70e130f2c627850f
                                                                                                                • Opcode Fuzzy Hash: 34f81ffa86de3c32eaaf2a00cb7dbf19e306c115bab107bc230ea3da778daeb3
                                                                                                                • Instruction Fuzzy Hash: D5410871D2420ADBCB08CFAAC5855AEFBF2BF88300F64D46AC415B7254E7749A42CF94
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: 05p$Y|;!
                                                                                                                • API String ID: 0-221307175
                                                                                                                • Opcode ID: 4941633be0c89560344d830366751be2a07ebf13993eea83d12c62b5e775b39e
                                                                                                                • Instruction ID: 7622c720f90e1fb17339f8dd215dc3a9eee42cdd9b2c157da0fc7d8849281d43
                                                                                                                • Opcode Fuzzy Hash: 4941633be0c89560344d830366751be2a07ebf13993eea83d12c62b5e775b39e
                                                                                                                • Instruction Fuzzy Hash: 43411771E1420ADFCB08CFAAC4855AEFBF2BF88300F24D46AC415A6254E7349A42CF94
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: j_2z
                                                                                                                • API String ID: 0-1335848357
                                                                                                                • Opcode ID: 8d4995a189846521f98e34570ca1846473a1101efecb0e506047cb1a7aeb03ed
                                                                                                                • Instruction ID: 93a87ea1454c922ad0efa034e7b51fe173efad72f23db35f82e758e1ede0d048
                                                                                                                • Opcode Fuzzy Hash: 8d4995a189846521f98e34570ca1846473a1101efecb0e506047cb1a7aeb03ed
                                                                                                                • Instruction Fuzzy Hash: D7511871E2520ADFDB08CFA6D5855AEFBF2BF88300F24C46AC505A7254D7349A41CF95
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: j_2z
                                                                                                                • API String ID: 0-1335848357
                                                                                                                • Opcode ID: 5b3b47d4cd9769304f4b7f872fe0c64adde74654a464b97d5b2afbd886e9e368
                                                                                                                • Instruction ID: 07debf07eb690d5b76da9f4aadf53a3f5bac38fba24349e1bee3eefd92e5ed95
                                                                                                                • Opcode Fuzzy Hash: 5b3b47d4cd9769304f4b7f872fe0c64adde74654a464b97d5b2afbd886e9e368
                                                                                                                • Instruction Fuzzy Hash: D2512771E2520ADFDB08CFA6D5855AEFBF2BF88300F24C06AC405B7214D7349A418F99
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.259074625.0000000002600000.00000040.00000001.sdmp, Offset: 02600000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 6091a545c5a875054befad5823cc17e5c9af6d48b9fcb8306a6c9e92d29e0f6b
                                                                                                                • Instruction ID: d376efc0ac285d22bbfcfdc0acd577652227bbe3d7a36adc3f3a510234478bf3
                                                                                                                • Opcode Fuzzy Hash: 6091a545c5a875054befad5823cc17e5c9af6d48b9fcb8306a6c9e92d29e0f6b
                                                                                                                • Instruction Fuzzy Hash: 1E525AB1D40B468BD738CF14E4C92AD3BB1FB44324BD2AA19D5526BAD0D3B464AECF44
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b233999e770de548367a49904f588c053af087e4626cdc262a7178c28f9d112b
                                                                                                                • Instruction ID: ff3c62859b682ac14c12946313b5e52f36f7ce401a1e3c48001a05f7ba9a0914
                                                                                                                • Opcode Fuzzy Hash: b233999e770de548367a49904f588c053af087e4626cdc262a7178c28f9d112b
                                                                                                                • Instruction Fuzzy Hash: CBB19072A142159FCB14CF69C984EAEB7B6FF84300F568069E919AB661CB30ED45CB90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.259074625.0000000002600000.00000040.00000001.sdmp, Offset: 02600000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8e057e2d58f422d34eb3760b1e650413e5d181714a35fe60276391fddbb953ad
                                                                                                                • Instruction ID: fca9551cebd0ae7e88b41d9db6af174eab46348b843a86da2e26ac3d4920fc2a
                                                                                                                • Opcode Fuzzy Hash: 8e057e2d58f422d34eb3760b1e650413e5d181714a35fe60276391fddbb953ad
                                                                                                                • Instruction Fuzzy Hash: 77A18F32E0061A8FCF09DFA5C8845DEB7B3FF85304B15856AE905BB261EB31A955DF40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: e62018c657a4692be4d2f5deda42b2189d299d125f9f883a794ecd4f39e294e8
                                                                                                                • Instruction ID: 11da5945552cf558a224706a2cc81cf9f540e24b559c75860566e9181d1b46f7
                                                                                                                • Opcode Fuzzy Hash: e62018c657a4692be4d2f5deda42b2189d299d125f9f883a794ecd4f39e294e8
                                                                                                                • Instruction Fuzzy Hash: ABA115B5E152098FDF08CFA9C5819AEFBF2BF88310F24C169D415BB255D73499428F64
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 6f812bd452dfbf7ccbef4bfc211c8fb3a8696c542fb1fdda08e430da30696d85
                                                                                                                • Instruction ID: db017c8c39a7255cdeccab73d78003a9f960ca3ccb5f4b3cbb6fbc0146febb4f
                                                                                                                • Opcode Fuzzy Hash: 6f812bd452dfbf7ccbef4bfc211c8fb3a8696c542fb1fdda08e430da30696d85
                                                                                                                • Instruction Fuzzy Hash: 2CA115B1E152198FDF08CFA9C9819AEFBF2BF88310F14C16AD415BB258D73499428F65
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 33d39e0be260f714dc7dabac052749ff3d87416edc5a692408f1e90e5101644e
                                                                                                                • Instruction ID: e6f3f6f2c352b9643444ffef3bfa4c6bb055bf7d2cc17e1682df91051f31f537
                                                                                                                • Opcode Fuzzy Hash: 33d39e0be260f714dc7dabac052749ff3d87416edc5a692408f1e90e5101644e
                                                                                                                • Instruction Fuzzy Hash: 15811975E2021D9FDB04DFE5D9495AEBBB2FF89300F14842AD81AAB358DB749901CF50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 4d664aefe0eaa26c7cebaa1eac14d967ba2274fe762707d4e834d2e7c6c7253d
                                                                                                                • Instruction ID: bbb0be7d6ba252ed8b97ca640770f0d2f983f1681d766687619b02cb9f4d0f52
                                                                                                                • Opcode Fuzzy Hash: 4d664aefe0eaa26c7cebaa1eac14d967ba2274fe762707d4e834d2e7c6c7253d
                                                                                                                • Instruction Fuzzy Hash: A6614771E1520A8FDF08CFA9C445AEFFBB2AF89310F14D426D514BB218D7749A418FA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: acfb1cfa09da688b4f77813a0a64f1be250ffd37cac8452e3412d04c86d059a4
                                                                                                                • Instruction ID: 4415a0c2b26e2e9035d6b50564f89cbd6ea52794eda1fc53c4c633e1132ce852
                                                                                                                • Opcode Fuzzy Hash: acfb1cfa09da688b4f77813a0a64f1be250ffd37cac8452e3412d04c86d059a4
                                                                                                                • Instruction Fuzzy Hash: B4613771E1520A9FDF08CFAAC445AAEFBB2AF89310F14D426D514B7258D7349A418FA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 84cc2379d8ae640cce512d34d703025d64e831762335377ae7e0ac001351b8ef
                                                                                                                • Instruction ID: 4eed645cfcc39a080d211b05a91dbe468b10afc2270ba2f9eb56b0778081e897
                                                                                                                • Opcode Fuzzy Hash: 84cc2379d8ae640cce512d34d703025d64e831762335377ae7e0ac001351b8ef
                                                                                                                • Instruction Fuzzy Hash: FC61F275E25209CFCB04CFAAC5849DEFBF2EFC8314F24942AD415B7224D774AA428B64
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: fba79cfb088f8fa53c754b24d59a5dd70142ed43f8d991f0597f15abce32d16a
                                                                                                                • Instruction ID: 238f01057f3807cf2a370972632e2728b47bedb8913f715aeca39debb5022983
                                                                                                                • Opcode Fuzzy Hash: fba79cfb088f8fa53c754b24d59a5dd70142ed43f8d991f0597f15abce32d16a
                                                                                                                • Instruction Fuzzy Hash: C0717171E142558FDB14CF65C980AAEFBB2BF89300F18C1A9D409A7356D731AE45CF61
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 7a618415956fd7193bf3e36a22b86cbdfb301ba5992911993120d8aa1fbb3345
                                                                                                                • Instruction ID: 8300347908f079df608b8c7ca8f45d9d0fa162a308810813f98876dd113d605c
                                                                                                                • Opcode Fuzzy Hash: 7a618415956fd7193bf3e36a22b86cbdfb301ba5992911993120d8aa1fbb3345
                                                                                                                • Instruction Fuzzy Hash: 2161E575E25209CFCB44CFAAC5859DEFBF2EFC8314F24942AD405B7214D774AA428B64
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 59d5855212d6a7c1b678a58059dcb177eaa84f6a165fc48695aa5b2c419da554
                                                                                                                • Instruction ID: 1c436d1eff3abc88966e81432eb81f33092e77d155f6838cb3acfc91df7b8ec6
                                                                                                                • Opcode Fuzzy Hash: 59d5855212d6a7c1b678a58059dcb177eaa84f6a165fc48695aa5b2c419da554
                                                                                                                • Instruction Fuzzy Hash: 2C61DC72D146588BDB18CF7BD95979ABBF3EFC9300F08C4AAD448A6255EB305A55CF00
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 6047f2067d891bc0c0d88178eda0c73c07dc34605afbd19dce7d4e21a5d5ecbb
                                                                                                                • Instruction ID: 09e0efc28675d2c9e26842239dd7fa66b5b504a3d4216ffe1c55d50a1851ceb2
                                                                                                                • Opcode Fuzzy Hash: 6047f2067d891bc0c0d88178eda0c73c07dc34605afbd19dce7d4e21a5d5ecbb
                                                                                                                • Instruction Fuzzy Hash: 2F611971E142198FDB14CF69C980AAEFBB2BF89304F24C1A9D419B7315DB31AA45CF61
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 768fb5ba13d10b689159c23fe2ac0a25419805159872077428fd33dbabddf33e
                                                                                                                • Instruction ID: 05c299275eb8becaf139b7249a54af5f057bfb89d104b6a026d0c232c19b7092
                                                                                                                • Opcode Fuzzy Hash: 768fb5ba13d10b689159c23fe2ac0a25419805159872077428fd33dbabddf33e
                                                                                                                • Instruction Fuzzy Hash: E5612D71E2462ACBDB28CF66C8447A9B7B7BFC9300F14C5A6D40EB6214EB705A858F40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a47d396e398e10d992ad8e89306f70b426ba14ef8995e252bd52da9f61f8e5b1
                                                                                                                • Instruction ID: a885a8ce5662d2cbdd523edca9167788f667e5eb4410d0fa22ef1dcf5818c8c4
                                                                                                                • Opcode Fuzzy Hash: a47d396e398e10d992ad8e89306f70b426ba14ef8995e252bd52da9f61f8e5b1
                                                                                                                • Instruction Fuzzy Hash: 7F415D71E256188BCB08DFA6E9445EEFBB3FF8D300F14942AD405B7254DB749881CB64
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 44b5b137ab4399557c7d66a03adf273b2e6a85bb585fd4d2502f111f6574f914
                                                                                                                • Instruction ID: 8de9371a25c41268bf574191d7871e1c23e64de7a3341d418f677e95b01995d2
                                                                                                                • Opcode Fuzzy Hash: 44b5b137ab4399557c7d66a03adf273b2e6a85bb585fd4d2502f111f6574f914
                                                                                                                • Instruction Fuzzy Hash: D45148B1E156188BEB58CF6BDD4569EFAF3BFC8300F14C1BA950CA6254EB301A858F51
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 073eec768b634ff814175fc86aa72ca3e7de92fda35d67bfa7a0a07b8944b7f2
                                                                                                                • Instruction ID: 51f53aa4683e197214cba048e7a6585d0aad74834b4661d6e669a8c910ca3b05
                                                                                                                • Opcode Fuzzy Hash: 073eec768b634ff814175fc86aa72ca3e7de92fda35d67bfa7a0a07b8944b7f2
                                                                                                                • Instruction Fuzzy Hash: 3C41D371E242458FDF18DF75E8557AEBFB2BF89300F14C46AD549A7244DBB09A018F41
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b73b9ff3372c72ca5d3926151b159f85e167c5faaa96d71d32c3403be33f74ab
                                                                                                                • Instruction ID: 6fffee1e81a7b3472c186e4a4488b79e347eb9a7a8a4afc4f3f8148735993de2
                                                                                                                • Opcode Fuzzy Hash: b73b9ff3372c72ca5d3926151b159f85e167c5faaa96d71d32c3403be33f74ab
                                                                                                                • Instruction Fuzzy Hash: 06316371E216598BDF18DF6AD980AAEFBB3BFC8300F14C06AD509A7214DBB05A418F51
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 78df63e4272efef16a06ea231bc299aab9de9043015a73e0adccf2b286d10025
                                                                                                                • Instruction ID: bdfacd474a788ca23dcf10b597255aeb1c9059fce0da6e060e799232d07e338a
                                                                                                                • Opcode Fuzzy Hash: 78df63e4272efef16a06ea231bc299aab9de9043015a73e0adccf2b286d10025
                                                                                                                • Instruction Fuzzy Hash: C9111771E216199BDB58CFAAD9446AEFBF7AFC9200F14C03AD508A7214DB305A058F51
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a031886c7e16c81a94a80261f56b1524f559dfe319032d92dbeb41da1660a197
                                                                                                                • Instruction ID: 2d6fe9594f94976ef559f0c2b13cb54dd7763432ed7315b56b8486a79c158034
                                                                                                                • Opcode Fuzzy Hash: a031886c7e16c81a94a80261f56b1524f559dfe319032d92dbeb41da1660a197
                                                                                                                • Instruction Fuzzy Hash: 3311DA72E156189BEB1CCFABD94469EFBF7AFC8200F04C17AD908A6258EB3015558F51
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 6ab5ee1fcdb0e63ad8eeeb6155c6451911fb82f24fd9f7fb92c035979522a759
                                                                                                                • Instruction ID: 3c3f4cf0e88333a833fcf20b75659b70da60539d561ca2718b5882b053411da5
                                                                                                                • Opcode Fuzzy Hash: 6ab5ee1fcdb0e63ad8eeeb6155c6451911fb82f24fd9f7fb92c035979522a759
                                                                                                                • Instruction Fuzzy Hash: 3C216AB1E256588FDB18CF6AD90569EBBF3AFC9300F18C06AD008E7255EA3049058F51
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.268880617.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 993264382cbe14c0cb5dee87b3272aa1bf7e3e56884217a406fad45b57bea36c
                                                                                                                • Instruction ID: a8e829da27b62aa49f55d938ccd53476cfb9e894589a5345030b9f204c0af515
                                                                                                                • Opcode Fuzzy Hash: 993264382cbe14c0cb5dee87b3272aa1bf7e3e56884217a406fad45b57bea36c
                                                                                                                • Instruction Fuzzy Hash: D711CC71E116189BEB1CCF6BD94469EFBF7AFC8244F14C07AD808A6268EB3415468F51
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Executed Functions

                                                                                                                APIs
                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0648C120
                                                                                                                • GetCurrentThread.KERNEL32 ref: 0648C15D
                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0648C19A
                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 0648C1F3
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000006.00000002.511425701.0000000006480000.00000040.00000001.sdmp, Offset: 06480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: Current$ProcessThread
                                                                                                                • String ID:
                                                                                                                • API String ID: 2063062207-0
                                                                                                                • Opcode ID: ffc1b4459d711bda83686ba6c44b71a55b53a5b87167246c229d773d14c178eb
                                                                                                                • Instruction ID: 2c73e7282a3d59cde0f361a052e61944a3087a1d9600f2625bdb76fb672712f7
                                                                                                                • Opcode Fuzzy Hash: ffc1b4459d711bda83686ba6c44b71a55b53a5b87167246c229d773d14c178eb
                                                                                                                • Instruction Fuzzy Hash: 675154B09007488FDB54DFAAD988BDEBBF1EB48304F24845AE009B7750C7749884CF62
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0648C120
                                                                                                                • GetCurrentThread.KERNEL32 ref: 0648C15D
                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0648C19A
                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 0648C1F3
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000006.00000002.511425701.0000000006480000.00000040.00000001.sdmp, Offset: 06480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: Current$ProcessThread
                                                                                                                • String ID:
                                                                                                                • API String ID: 2063062207-0
                                                                                                                • Opcode ID: 2987a22315b49e13286c98dc6e1280f25d8a79aa9dcf40adec65aae3b034a390
                                                                                                                • Instruction ID: 35eccfd017c2c8a7979bf01ae5aae75deb7a7590bcd8f9fa1f2b1e161c2268ef
                                                                                                                • Opcode Fuzzy Hash: 2987a22315b49e13286c98dc6e1280f25d8a79aa9dcf40adec65aae3b034a390
                                                                                                                • Instruction Fuzzy Hash: D75144B09006488FDB54DFAAD988BDEBBF1FB48314F24845AE419B7350D7749884CF66
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 064932DE
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000006.00000002.511498100.0000000006490000.00000040.00000001.sdmp, Offset: 06490000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule
                                                                                                                • String ID:
                                                                                                                • API String ID: 4139908857-0
                                                                                                                • Opcode ID: df0e504a9a2d962f72fc2107bb89b3fdf92bbe697314651a1900e7429bfc332e
                                                                                                                • Instruction ID: e3a990ea10fb53ba3faddc7264cffe7275d6e4ab2502a7a312c8b11bba207ae2
                                                                                                                • Opcode Fuzzy Hash: df0e504a9a2d962f72fc2107bb89b3fdf92bbe697314651a1900e7429bfc332e
                                                                                                                • Instruction Fuzzy Hash: 2C815370A00B058FDB65DF2AD44575BBBF1BF8A204F00892ED08AD7B50DB74E845CBA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0649524A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000006.00000002.511498100.0000000006490000.00000040.00000001.sdmp, Offset: 06490000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: CreateWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 716092398-0
                                                                                                                • Opcode ID: 83a577e80156e1d2ae920b450284920360135f273ae7934be6a0611f20d0559a
                                                                                                                • Instruction ID: d6794aea5e37977a1d16009707664cf63a491c00ed64c8cae06d90befc1938e2
                                                                                                                • Opcode Fuzzy Hash: 83a577e80156e1d2ae920b450284920360135f273ae7934be6a0611f20d0559a
                                                                                                                • Instruction Fuzzy Hash: FF5100B0C05348AFDF15CFA9C890ADEBFB1BF48314F25852AE819AB210D7749885CF91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0649524A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000006.00000002.511498100.0000000006490000.00000040.00000001.sdmp, Offset: 06490000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: CreateWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 716092398-0
                                                                                                                • Opcode ID: c60b0638deeeb83f5cd0ebf775ac0019b68cbdd0807c15f482d522ba6b90d7e4
                                                                                                                • Instruction ID: bb2eefaada45481356d63738aa24751ba603abfc3d448c783bc39245cf0aecee
                                                                                                                • Opcode Fuzzy Hash: c60b0638deeeb83f5cd0ebf775ac0019b68cbdd0807c15f482d522ba6b90d7e4
                                                                                                                • Instruction Fuzzy Hash: 2E51BEB1D00349AFDF15CF99C884ADEBFB5BF48314F64812AE819AB210D7759885CF91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 064977A1
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000006.00000002.511498100.0000000006490000.00000040.00000001.sdmp, Offset: 06490000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: CallProcWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 2714655100-0
                                                                                                                • Opcode ID: 107e3683fc8796f745dab436e5f91a17d4282366690a4b1fbacc31fcf41f14a4
                                                                                                                • Instruction ID: 294b0d165c57760338ad6db64880ef88e3bf0d1b51414c3fc8606a466a3fea8f
                                                                                                                • Opcode Fuzzy Hash: 107e3683fc8796f745dab436e5f91a17d4282366690a4b1fbacc31fcf41f14a4
                                                                                                                • Instruction Fuzzy Hash: A5414F78910205DFDB54DF99C488B9ABFF5FF88314F15849AD419A7321D774A841CFA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • KiUserExceptionDispatcher.NTDLL ref: 02D4E3D3
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000006.00000002.505653041.0000000002D40000.00000040.00000001.sdmp, Offset: 02D40000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: DispatcherExceptionUser
                                                                                                                • String ID:
                                                                                                                • API String ID: 6842923-0
                                                                                                                • Opcode ID: 9b49e676f140919d5681a1c615959906e3f6fcae8de7e2186f38b5b670d774e0
                                                                                                                • Instruction ID: 2984950a8a8dbe0cc38a2c2faa485c9f20752ed9565de74763151fd1b00505e4
                                                                                                                • Opcode Fuzzy Hash: 9b49e676f140919d5681a1c615959906e3f6fcae8de7e2186f38b5b670d774e0
                                                                                                                • Instruction Fuzzy Hash: B031D739138121DBCB2C6F71FA0F2A87F31FF542067924961B106814A8CFA44992EF22
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • KiUserExceptionDispatcher.NTDLL ref: 02D4E3D3
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000006.00000002.505653041.0000000002D40000.00000040.00000001.sdmp, Offset: 02D40000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: DispatcherExceptionUser
                                                                                                                • String ID:
                                                                                                                • API String ID: 6842923-0
                                                                                                                • Opcode ID: 02a1f498da6dfa5d67ab2c6ea5e8a624619c8f7cec3423051c0380453b9aed26
                                                                                                                • Instruction ID: 73ebac5f3603587b8a8918e475e24eafc9a3bf511182fabacd91f163513f9bf8
                                                                                                                • Opcode Fuzzy Hash: 02a1f498da6dfa5d67ab2c6ea5e8a624619c8f7cec3423051c0380453b9aed26
                                                                                                                • Instruction Fuzzy Hash: E631D839139121DBCB2C6F71FA0F2AC7F31FF54246BD24521B10691468CFA54986EF22
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0648C2AE,?,?,?,?,?), ref: 0648C36F
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000006.00000002.511425701.0000000006480000.00000040.00000001.sdmp, Offset: 06480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: DuplicateHandle
                                                                                                                • String ID:
                                                                                                                • API String ID: 3793708945-0
                                                                                                                • Opcode ID: 4eedf4c0f6641eae56de7c79a72de8cf9431930f973af57486c9e14233249c71
                                                                                                                • Instruction ID: c3b53b85f2b9ddb565b38d4ea0d716504d50a34b40f3647721be74a0fd10a315
                                                                                                                • Opcode Fuzzy Hash: 4eedf4c0f6641eae56de7c79a72de8cf9431930f973af57486c9e14233249c71
                                                                                                                • Instruction Fuzzy Hash: A621E5B5901248AFDB10CFAAD984ADEFBF8FB48324F14841AE954A7710D374A945CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0648C2AE,?,?,?,?,?), ref: 0648C36F
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000006.00000002.511425701.0000000006480000.00000040.00000001.sdmp, Offset: 06480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: DuplicateHandle
                                                                                                                • String ID:
                                                                                                                • API String ID: 3793708945-0
                                                                                                                • Opcode ID: a96748074dca7f1e54683fd36c9992436113775670e10d31d204d322a3edea7f
                                                                                                                • Instruction ID: f9605c1300747e8e77c1ebf40b57567ffafe7de806e5ac746daf8f5568ef7c3d
                                                                                                                • Opcode Fuzzy Hash: a96748074dca7f1e54683fd36c9992436113775670e10d31d204d322a3edea7f
                                                                                                                • Instruction Fuzzy Hash: 9D21E5B5D002489FDB10CFAAD584ADEBBF4EB48314F54841AE958B7710D378A945CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,06493359,00000800,00000000,00000000), ref: 0649354A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000006.00000002.511498100.0000000006490000.00000040.00000001.sdmp, Offset: 06490000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: LibraryLoad
                                                                                                                • String ID:
                                                                                                                • API String ID: 1029625771-0
                                                                                                                • Opcode ID: cde211db5b2e112a6153258fc47eada7b1706b8d39c6e20398ad2888891aca70
                                                                                                                • Instruction ID: 240aa9e7e20dad40f663882ac9f3d57baa9d114761e6318b7e6a0d58723c5beb
                                                                                                                • Opcode Fuzzy Hash: cde211db5b2e112a6153258fc47eada7b1706b8d39c6e20398ad2888891aca70
                                                                                                                • Instruction Fuzzy Hash: D01114B6D002489FCB11CF9AD488BDEFBF4EB89324F11842AD415B7600C3B9A945CFA5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 064932DE
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000006.00000002.511498100.0000000006490000.00000040.00000001.sdmp, Offset: 06490000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule
                                                                                                                • String ID:
                                                                                                                • API String ID: 4139908857-0
                                                                                                                • Opcode ID: 492bda17d0fa5651217824f0fafef24dfed6ceacea38cf9bc4859e8890d34a91
                                                                                                                • Instruction ID: eff3a7056d6895dba52a15a491647107fdf4300cae575d1c93fd75054b363e06
                                                                                                                • Opcode Fuzzy Hash: 492bda17d0fa5651217824f0fafef24dfed6ceacea38cf9bc4859e8890d34a91
                                                                                                                • Instruction Fuzzy Hash: AD1102B5C006498FCB10CF9AC444BDEFBF4EB88324F10841AD429A7600C3B5A545CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • OleInitialize.OLE32(00000000), ref: 064997F5
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000006.00000002.511498100.0000000006490000.00000040.00000001.sdmp, Offset: 06490000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: Initialize
                                                                                                                • String ID:
                                                                                                                • API String ID: 2538663250-0
                                                                                                                • Opcode ID: 233320071793fea5a7ae61f5b4d5954ab9c4187fdd9703c132f8d166f3337e1a
                                                                                                                • Instruction ID: 1f6c85544350dd020c15d38764e26ebdf8605936711a24dae9c58341d3e2c687
                                                                                                                • Opcode Fuzzy Hash: 233320071793fea5a7ae61f5b4d5954ab9c4187fdd9703c132f8d166f3337e1a
                                                                                                                • Instruction Fuzzy Hash: DA01F0B5900648CFCB10DFA9D5887DEBBF4AB48324F24885AD559B7610C3B9A944CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • OleInitialize.OLE32(00000000), ref: 064997F5
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000006.00000002.511498100.0000000006490000.00000040.00000001.sdmp, Offset: 06490000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: Initialize
                                                                                                                • String ID:
                                                                                                                • API String ID: 2538663250-0
                                                                                                                • Opcode ID: 4baaf01241bd5a45bd5cb6b94a905dfd2bce8d4cf2c4eb6d336bb2c7e76b536c
                                                                                                                • Instruction ID: 7895afaa45b4b74fef5f4fad22289277e162d159c6d453c9ab5a2ece6cdba833
                                                                                                                • Opcode Fuzzy Hash: 4baaf01241bd5a45bd5cb6b94a905dfd2bce8d4cf2c4eb6d336bb2c7e76b536c
                                                                                                                • Instruction Fuzzy Hash: 47F014B59043848FCB11CF99D89878ABBF4AB49218F19849AD158A7261C378A448CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000006.00000002.505175348.00000000011ED000.00000040.00000001.sdmp, Offset: 011ED000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 0882ac3c6a13f5b9da8b8e14ca69b22212491b8eb1bd0311b9bfa619d4124ce6
                                                                                                                • Instruction ID: e3b6086e1bdc4d0dc0ffd4ec081b12e0ec77ca9972b28675c8dc00b3c3ffa219
                                                                                                                • Opcode Fuzzy Hash: 0882ac3c6a13f5b9da8b8e14ca69b22212491b8eb1bd0311b9bfa619d4124ce6
                                                                                                                • Instruction Fuzzy Hash: 25214BB1504640DFCF09CFD4E9C8B26BBA5FB84324F24C5A9ED054B206C336D816CBA2
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000006.00000002.505175348.00000000011ED000.00000040.00000001.sdmp, Offset: 011ED000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: f8f6bdb0e5e2c10bcb2a8c0dd5137c1105ca44472dcf881f6c46e8b3b801d3b7
                                                                                                                • Instruction ID: f88dd191417b9a06b2f4b7490685c909278901928c16af5bdf7d60985c1716d4
                                                                                                                • Opcode Fuzzy Hash: f8f6bdb0e5e2c10bcb2a8c0dd5137c1105ca44472dcf881f6c46e8b3b801d3b7
                                                                                                                • Instruction Fuzzy Hash: 76214871504640DFDF09CFD4E9C8F66BBA5FB94324F24C5A8E9050BA06C336E805CBA2
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000006.00000002.505211340.00000000011FD000.00000040.00000001.sdmp, Offset: 011FD000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 9131ee80db8438280fc053cbbcc10a3e83644837fec2157061f1b49986cc2e7a
                                                                                                                • Instruction ID: 6b7a4f48a7566743ac528e1eecff383e7ed15ede1c931e4d0c1c14f7a1b9402c
                                                                                                                • Opcode Fuzzy Hash: 9131ee80db8438280fc053cbbcc10a3e83644837fec2157061f1b49986cc2e7a
                                                                                                                • Instruction Fuzzy Hash: 7D2122B1508240EFCF19DF94E9C0B36BBA5FB84354F24C5ADEA094B246C776D846CB62
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000006.00000002.505211340.00000000011FD000.00000040.00000001.sdmp, Offset: 011FD000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 79d253463ec924f1607d0def0864b3dcc42baa65f981b565b80946bfa751a23e
                                                                                                                • Instruction ID: b96e70c493f7ccd0f50137a3d53e0afff6dba6cfa4d7e839e6ba6e502aec0037
                                                                                                                • Opcode Fuzzy Hash: 79d253463ec924f1607d0def0864b3dcc42baa65f981b565b80946bfa751a23e
                                                                                                                • Instruction Fuzzy Hash: EC218D755093C08FCB138B24D890714BF71AB46210F2981DBC8888B6A3C33A880ACB62
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000006.00000002.505175348.00000000011ED000.00000040.00000001.sdmp, Offset: 011ED000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 1ff84b3e2ffea0ad810096244b844232593914b7eee0348b9faee025658a7d44
                                                                                                                • Instruction ID: fc30de012d6e7bc045bb9269d764f4918caa46910544171e768462f216e4a849
                                                                                                                • Opcode Fuzzy Hash: 1ff84b3e2ffea0ad810096244b844232593914b7eee0348b9faee025658a7d44
                                                                                                                • Instruction Fuzzy Hash: 00219076404680DFCF16CF94D9C4B16BFB1FB84320F2485A9DC044B656C336D456CBA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000006.00000002.505175348.00000000011ED000.00000040.00000001.sdmp, Offset: 011ED000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b88a7ec900b8d9d152df82f6a6fdb144c596dfe53c5a765c19d03004c3cb1d32
                                                                                                                • Instruction ID: 0c9c8f2d0759b3df4d4a40d115a8707bfd837f7d4a94fb5d70f93d6f9b21def9
                                                                                                                • Opcode Fuzzy Hash: b88a7ec900b8d9d152df82f6a6fdb144c596dfe53c5a765c19d03004c3cb1d32
                                                                                                                • Instruction Fuzzy Hash: D311AF76404680DFDF16CF94D5C8B56BFB1FB94324F24C6A9D8090BA16C33AE456CBA2
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Non-executed Functions