Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report ashleyx.exe

Overview

General Information

Sample Name:ashleyx.exe
Analysis ID:404252
MD5:34d4452c1b344685e3f5fd7d0e9640a1
SHA1:bb42e71329d2ad4baff54600020eb7053cc53026
SHA256:65e210b78d73141c61b7087dce60499ca6c225e1b028d3951589c93baa8f0668
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • ashleyx.exe (PID: 7048 cmdline: 'C:\Users\user\Desktop\ashleyx.exe' MD5: 34D4452C1B344685E3F5FD7D0E9640A1)
    • ashleyx.exe (PID: 2204 cmdline: {path} MD5: 34D4452C1B344685E3F5FD7D0E9640A1)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "logs@phuboatrading-vn.comof2ZCW1li4ipTfyEsmtp.phuboatrading-vn.commylogs@phuboatrading-vn.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.911793295.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.683944483.0000000004D15000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000004.00000002.913258103.0000000003251000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000004.00000002.913258103.0000000003251000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.680319941.00000000040C9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.ashleyx.exe.4d757b8.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.ashleyx.exe.4d15598.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.ashleyx.exe.43c7e50.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  4.2.ashleyx.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.ashleyx.exe.4d757b8.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 4.2.ashleyx.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "logs@phuboatrading-vn.comof2ZCW1li4ipTfyEsmtp.phuboatrading-vn.commylogs@phuboatrading-vn.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: ashleyx.exeVirustotal: Detection: 30%Perma Link
                      Source: ashleyx.exeReversingLabs: Detection: 40%
                      Machine Learning detection for sampleShow sources
                      Source: ashleyx.exeJoe Sandbox ML: detected
                      Source: 4.2.ashleyx.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: ashleyx.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: ashleyx.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49763 -> 79.141.164.23:25
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49764 -> 79.141.164.23:25
                      Source: Joe Sandbox ViewASN Name: HZ-NL-ASGB HZ-NL-ASGB
                      Source: global trafficTCP traffic: 192.168.2.4:49763 -> 79.141.164.23:25
                      Source: unknownDNS traffic detected: queries for: smtp.phuboatrading-vn.com
                      Source: ashleyx.exe, 00000004.00000002.913258103.0000000003251000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: ashleyx.exe, 00000004.00000002.913258103.0000000003251000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: ashleyx.exe, 00000004.00000002.913258103.0000000003251000.00000004.00000001.sdmp, ashleyx.exe, 00000004.00000002.913746975.00000000035CC000.00000004.00000001.sdmpString found in binary or memory: http://fl3gHqcqlp4Nk7qizX.net
                      Source: ashleyx.exe, 00000004.00000003.884379101.0000000001494000.00000004.00000001.sdmpString found in binary or memory: http://fl3gHqcqlp4Nk7qizX.net853321935-2125563209-4053062332-1002_Classes
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: ashleyx.exe, 00000004.00000002.913712228.00000000035BF000.00000004.00000001.sdmpString found in binary or memory: http://smtp.phuboatrading-vn.com
                      Source: ashleyx.exe, 00000004.00000002.913258103.0000000003251000.00000004.00000001.sdmpString found in binary or memory: http://wcmZQs.com
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: ashleyx.exe, 00000000.00000003.652269015.00000000060BE000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                      Source: ashleyx.exe, 00000000.00000003.651354790.00000000060BF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: ashleyx.exe, 00000000.00000003.651354790.00000000060BF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com3
                      Source: ashleyx.exe, 00000000.00000003.651354790.00000000060BF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comC
                      Source: ashleyx.exe, 00000000.00000003.651354790.00000000060BF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comIta
                      Source: ashleyx.exe, 00000000.00000003.651354790.00000000060BF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comS
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: ashleyx.exe, 00000000.00000003.651354790.00000000060BF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmp, ashleyx.exe, 00000000.00000003.655202893.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: ashleyx.exe, 00000000.00000003.653202861.00000000060BE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers&
                      Source: ashleyx.exe, 00000000.00000003.653135407.00000000060BE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: ashleyx.exe, 00000000.00000003.654413827.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmp, ashleyx.exe, 00000000.00000003.653796968.00000000060BF000.00000004.00000001.sdmp, ashleyx.exe, 00000000.00000003.653743073.00000000060BF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: ashleyx.exe, 00000000.00000003.654739623.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers0._
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmp, ashleyx.exe, 00000000.00000003.653796968.00000000060BF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: ashleyx.exe, 00000000.00000003.655202893.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersb
                      Source: ashleyx.exe, 00000000.00000003.653569256.00000000060BF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersf
                      Source: ashleyx.exe, 00000000.00000003.661342053.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersivf
                      Source: ashleyx.exe, 00000000.00000003.655147245.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersk
                      Source: ashleyx.exe, 00000000.00000003.653448509.00000000060BF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
                      Source: ashleyx.exe, 00000000.00000002.685099190.0000000006090000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrita
                      Source: ashleyx.exe, 00000000.00000002.685099190.0000000006090000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comocK
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: ashleyx.exe, 00000000.00000003.651004266.00000000060BE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: ashleyx.exe, 00000000.00000003.651004266.00000000060BE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnN
                      Source: ashleyx.exe, 00000000.00000003.651004266.00000000060BE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
                      Source: ashleyx.exe, 00000000.00000003.651004266.00000000060BE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnp
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: ashleyx.exe, 00000000.00000003.656978899.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmu
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmp, ashleyx.exe, 00000000.00000003.651990337.000000000609B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: ashleyx.exe, 00000000.00000003.652217428.0000000006098000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-
                      Source: ashleyx.exe, 00000000.00000003.651812477.0000000006095000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-cz
                      Source: ashleyx.exe, 00000000.00000003.651812477.0000000006095000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
                      Source: ashleyx.exe, 00000000.00000003.651990337.000000000609B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/8
                      Source: ashleyx.exe, 00000000.00000003.651812477.0000000006095000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/DK
                      Source: ashleyx.exe, 00000000.00000003.651812477.0000000006095000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/VK
                      Source: ashleyx.exe, 00000000.00000003.651812477.0000000006095000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                      Source: ashleyx.exe, 00000000.00000003.652217428.0000000006098000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0Al
                      Source: ashleyx.exe, 00000000.00000003.651990337.000000000609B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0YK
                      Source: ashleyx.exe, 00000000.00000003.651812477.0000000006095000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-d
                      Source: ashleyx.exe, 00000000.00000003.652217428.0000000006098000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: ashleyx.exe, 00000000.00000003.652217428.0000000006098000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/8
                      Source: ashleyx.exe, 00000000.00000003.651812477.0000000006095000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/nt
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: ashleyx.exe, 00000000.00000003.651493647.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comic
                      Source: ashleyx.exe, 00000000.00000003.651493647.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.coms
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: ashleyx.exe, 00000000.00000003.653067561.00000000060BE000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                      Source: ashleyx.exe, 00000000.00000003.655452602.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de.gd
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: ashleyx.exe, 00000004.00000002.913258103.0000000003251000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: ashleyx.exe, 00000004.00000002.913258103.0000000003251000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: ashleyx.exe, 00000000.00000002.683944483.0000000004D15000.00000004.00000001.sdmp, ashleyx.exe, 00000004.00000002.911793295.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: ashleyx.exe, 00000004.00000002.913258103.0000000003251000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\ashleyx.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\ashleyx.exeJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 4.2.ashleyx.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE585CFC4u002d35D4u002d406Au002d9AC8u002d03651886402Cu007d/u003704BD87Au002dC313u002d43EFu002d8C88u002d22424C2E14F6.csLarge array initialization: .cctor: array initializer size 11998
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_02F9C6B40_2_02F9C6B4
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_02F9F0580_2_02F9F058
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_02F9F04B0_2_02F9F04B
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B14EF80_2_07B14EF8
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B125A00_2_07B125A0
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B120A00_2_07B120A0
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B100400_2_07B10040
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B117FE0_2_07B117FE
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B117EB0_2_07B117EB
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B117010_2_07B11701
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B117480_2_07B11748
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B14EE80_2_07B14EE8
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B163D00_2_07B163D0
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B163CA0_2_07B163CA
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B12A900_2_07B12A90
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B12A820_2_07B12A82
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B120910_2_07B12091
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B148E00_2_07B148E0
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B148D00_2_07B148D0
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B110D80_2_07B110D8
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B110C60_2_07B110C6
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B100060_2_07B10006
                      Source: ashleyx.exeBinary or memory string: OriginalFilename vs ashleyx.exe
                      Source: ashleyx.exe, 00000000.00000002.674739447.0000000000D42000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRZVF0aMBAABaAKZ.exe4 vs ashleyx.exe
                      Source: ashleyx.exe, 00000000.00000002.683944483.0000000004D15000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameHKVWIQPkNrvsqpVPAUZtDZufQcU.exe4 vs ashleyx.exe
                      Source: ashleyx.exe, 00000000.00000002.675756207.00000000030C1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSmartFormat.dll8 vs ashleyx.exe
                      Source: ashleyx.exe, 00000000.00000002.686459066.0000000008EB0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs ashleyx.exe
                      Source: ashleyx.exe, 00000004.00000002.911793295.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameHKVWIQPkNrvsqpVPAUZtDZufQcU.exe4 vs ashleyx.exe
                      Source: ashleyx.exe, 00000004.00000002.912671645.0000000001720000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs ashleyx.exe
                      Source: ashleyx.exe, 00000004.00000002.911855636.0000000000EC2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRZVF0aMBAABaAKZ.exe4 vs ashleyx.exe
                      Source: ashleyx.exe, 00000004.00000002.912034930.0000000001358000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs ashleyx.exe
                      Source: ashleyx.exe, 00000004.00000002.917875823.0000000006AD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs ashleyx.exe
                      Source: ashleyx.exeBinary or memory string: OriginalFilenameRZVF0aMBAABaAKZ.exe4 vs ashleyx.exe
                      Source: ashleyx.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: 4.2.ashleyx.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.2.ashleyx.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@2/1
                      Source: C:\Users\user\Desktop\ashleyx.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ashleyx.exe.logJump to behavior
                      Source: ashleyx.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\ashleyx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\ashleyx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\ashleyx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\ashleyx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: ashleyx.exe, 00000000.00000002.674739447.0000000000D42000.00000002.00020000.sdmp, ashleyx.exe, 00000004.00000002.911855636.0000000000EC2000.00000002.00020000.sdmpBinary or memory string: UPDATE centro_comercial.loja SET Contacto = @Contacto, Nome_comercial = @Nome_comercial, Renda = @Renda, Tipo = @Tipo, Area = @Area, Num_gerente = @Num_gerente, NIF_empresa = @NIF_empresa WHERE Num_loja = @Num_lojamDELETE centro_comercial.loja WHERE Num_loja=@Num_loja;
                      Source: ashleyx.exeVirustotal: Detection: 30%
                      Source: ashleyx.exeReversingLabs: Detection: 40%
                      Source: unknownProcess created: C:\Users\user\Desktop\ashleyx.exe 'C:\Users\user\Desktop\ashleyx.exe'
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess created: C:\Users\user\Desktop\ashleyx.exe {path}
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess created: C:\Users\user\Desktop\ashleyx.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: ashleyx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: ashleyx.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: ashleyx.exeStatic PE information: 0x9C58D04F [Thu Feb 13 13:29:51 2053 UTC]
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_02F98233 push 10056379h; ret 0_2_02F9823D
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_02F91C8B push ebx; iretd 0_2_02F91C7A
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B10695 push eax; iretd 0_2_07B10696
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B1A19D push FFFFFF8Bh; iretd 0_2_07B1A19F
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.27698416733
                      Source: C:\Users\user\Desktop\ashleyx.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: Process Memory Space: ashleyx.exe PID: 7048, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\ashleyx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\ashleyx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: ashleyx.exe, 00000000.00000002.675932328.0000000003128000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: ashleyx.exe, 00000000.00000002.675932328.0000000003128000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\ashleyx.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeWindow / User API: threadDelayed 1760Jump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeWindow / User API: threadDelayed 8089Jump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exe TID: 7052Thread sleep time: -31500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exe TID: 7068Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exe TID: 6848Thread sleep time: -20291418481080494s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exe TID: 6772Thread sleep count: 1760 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exe TID: 6772Thread sleep count: 8089 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\ashleyx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\ashleyx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\ashleyx.exeThread delayed: delay time: 31500Jump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: ashleyx.exe, 00000000.00000002.675932328.0000000003128000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                      Source: ashleyx.exe, 00000000.00000002.675932328.0000000003128000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: ashleyx.exe, 00000000.00000002.675932328.0000000003128000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: ashleyx.exe, 00000000.00000002.675932328.0000000003128000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: ashleyx.exe, 00000000.00000002.675932328.0000000003128000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: ashleyx.exe, 00000000.00000002.675932328.0000000003128000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: ashleyx.exe, 00000000.00000002.675932328.0000000003128000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: ashleyx.exe, 00000000.00000002.675932328.0000000003128000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: ashleyx.exe, 00000000.00000002.675932328.0000000003128000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: ashleyx.exe, 00000004.00000002.917649863.00000000067D0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\ashleyx.exeMemory written: C:\Users\user\Desktop\ashleyx.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess created: C:\Users\user\Desktop\ashleyx.exe {path}Jump to behavior
                      Source: ashleyx.exe, 00000004.00000002.912943938.0000000001C30000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: ashleyx.exe, 00000004.00000002.912943938.0000000001C30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: ashleyx.exe, 00000004.00000002.912943938.0000000001C30000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: ashleyx.exe, 00000004.00000002.912943938.0000000001C30000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Users\user\Desktop\ashleyx.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Users\user\Desktop\ashleyx.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000004.00000002.911793295.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.683944483.0000000004D15000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.913258103.0000000003251000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.680319941.00000000040C9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ashleyx.exe PID: 2204, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ashleyx.exe PID: 7048, type: MEMORY
                      Source: Yara matchFile source: 0.2.ashleyx.exe.4d757b8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ashleyx.exe.4d15598.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ashleyx.exe.43c7e50.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.ashleyx.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ashleyx.exe.4d757b8.3.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\ashleyx.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\ashleyx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\ashleyx.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\ashleyx.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: Yara matchFile source: 00000004.00000002.913258103.0000000003251000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ashleyx.exe PID: 2204, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000004.00000002.911793295.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.683944483.0000000004D15000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.913258103.0000000003251000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.680319941.00000000040C9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ashleyx.exe PID: 2204, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ashleyx.exe PID: 7048, type: MEMORY
                      Source: Yara matchFile source: 0.2.ashleyx.exe.4d757b8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ashleyx.exe.4d15598.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ashleyx.exe.43c7e50.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.ashleyx.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ashleyx.exe.4d757b8.3.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Input Capture11Security Software Discovery211Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Credentials in Registry1Process Discovery2SMB/Windows Admin SharesArchive Collected Data11Automated ExfiltrationApplication Layer Protocol11Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelData from Local System2Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing2DCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      ashleyx.exe30%VirustotalBrowse
                      ashleyx.exe40%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      ashleyx.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      4.2.ashleyx.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.jiyu-kobo.co.jp/DK0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cnN0%Avira URL Cloudsafe
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://fl3gHqcqlp4Nk7qizX.net0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/a-d0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/a-d0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/a-d0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.carterandcone.com30%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/80%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/-cz0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/-cz0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/-cz0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.fontbureau.comgrita0%URL Reputationsafe
                      http://www.fontbureau.comgrita0%URL Reputationsafe
                      http://www.fontbureau.comgrita0%URL Reputationsafe
                      http://www.founder.com.cn/cnp0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/80%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/80%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/80%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Y0YK0%Avira URL Cloudsafe
                      http://www.fontbureau.comocK0%Avira URL Cloudsafe
                      http://www.urwpp.de.gd0%Avira URL Cloudsafe
                      http://www.carterandcone.comC0%URL Reputationsafe
                      http://www.carterandcone.comC0%URL Reputationsafe
                      http://www.carterandcone.comC0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/-0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/-0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/-0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.carterandcone.comS0%Avira URL Cloudsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.founder.com.cn/cnd0%URL Reputationsafe
                      http://www.founder.com.cn/cnd0%URL Reputationsafe
                      http://www.founder.com.cn/cnd0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/nt0%Avira URL Cloudsafe
                      http://www.tiro.coms0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      smtp.phuboatrading-vn.com
                      		79.141.164.23
                      		truetrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.jiyu-kobo.co.jp/DKashleyx.exe, 00000000.00000003.651812477.0000000006095000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.founder.com.cn/cnNashleyx.exe, 00000000.00000003.651004266.00000000060BE000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://127.0.0.1:HTTP/1.1ashleyx.exe, 00000004.00000002.913258103.0000000003251000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.fontbureau.com/designersGashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpfalse
                          		high
                          http://fl3gHqcqlp4Nk7qizX.netashleyx.exe, 00000004.00000002.913258103.0000000003251000.00000004.00000001.sdmp, ashleyx.exe, 00000004.00000002.913746975.00000000035CC000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers/?ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpfalse
                              		high
                              http://www.jiyu-kobo.co.jp/a-dashleyx.exe, 00000000.00000003.651812477.0000000006095000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.tiro.comashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmp, ashleyx.exe, 00000000.00000003.655202893.00000000060C0000.00000004.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.com/designersivfashleyx.exe, 00000000.00000003.661342053.00000000060C0000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.carterandcone.com3ashleyx.exe, 00000000.00000003.651354790.00000000060BF000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.goodfont.co.krashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comashleyx.exe, 00000000.00000003.651354790.00000000060BF000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/jp/8ashleyx.exe, 00000000.00000003.652217428.0000000006098000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/-czashleyx.exe, 00000000.00000003.651812477.0000000006095000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/cTheashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designersfashleyx.exe, 00000000.00000003.653569256.00000000060BF000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.fontbureau.comgritaashleyx.exe, 00000000.00000002.685099190.0000000006090000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cnpashleyx.exe, 00000000.00000003.651004266.00000000060BE000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/8ashleyx.exe, 00000000.00000003.651990337.000000000609B000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/Y0YKashleyx.exe, 00000000.00000003.651990337.000000000609B000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.comocKashleyx.exe, 00000000.00000002.685099190.0000000006090000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.urwpp.de.gdashleyx.exe, 00000000.00000003.655452602.00000000060C0000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designerskashleyx.exe, 00000000.00000003.655147245.00000000060C0000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.carterandcone.comCashleyx.exe, 00000000.00000003.651354790.00000000060BF000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp//ashleyx.exe, 00000000.00000003.651812477.0000000006095000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/-ashleyx.exe, 00000000.00000003.652217428.0000000006098000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designersbashleyx.exe, 00000000.00000003.655202893.00000000060C0000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.galapagosdesign.com/DPleaseashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/Y0ashleyx.exe, 00000000.00000003.651812477.0000000006095000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://api.ipify.org%GETMozilla/5.0ashleyx.exe, 00000004.00000002.913258103.0000000003251000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		low
                                        http://www.ascendercorp.com/typedesigners.htmlashleyx.exe, 00000000.00000003.652269015.00000000060BE000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fonts.comashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.urwpp.deDPleaseashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.comSashleyx.exe, 00000000.00000003.651354790.00000000060BF000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.urwpp.deashleyx.exe, 00000000.00000003.653067561.00000000060BE000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sakkal.comashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipashleyx.exe, 00000000.00000002.683944483.0000000004D15000.00000004.00000001.sdmp, ashleyx.exe, 00000004.00000002.911793295.0000000000402000.00000040.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designerstashleyx.exe, 00000000.00000003.653448509.00000000060BF000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cndashleyx.exe, 00000000.00000003.651004266.00000000060BE000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.apache.org/licenses/LICENSE-2.0ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.fontbureau.comashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpfalse
                                                		high
                                                http://DynDns.comDynDNSashleyx.exe, 00000004.00000002.913258103.0000000003251000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/ntashleyx.exe, 00000000.00000003.651812477.0000000006095000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.tiro.comsashleyx.exe, 00000000.00000003.651493647.00000000060C0000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haashleyx.exe, 00000004.00000002.913258103.0000000003251000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://fl3gHqcqlp4Nk7qizX.net853321935-2125563209-4053062332-1002_Classesashleyx.exe, 00000004.00000003.884379101.0000000001494000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		low
                                                http://www.jiyu-kobo.co.jp/jp/ashleyx.exe, 00000000.00000003.652217428.0000000006098000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/Y0Alashleyx.exe, 00000000.00000003.652217428.0000000006098000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.carterandcone.comnashleyx.exe, 00000000.00000003.651354790.00000000060BF000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.galapagosdesign.com/staff/dennis.htmuashleyx.exe, 00000000.00000003.656978899.00000000060C0000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://api.ipify.org%$ashleyx.exe, 00000004.00000002.913258103.0000000003251000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		low
                                                http://www.carterandcone.comlashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/cabarga.htmlNashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.com/designers&ashleyx.exe, 00000000.00000003.653202861.00000000060BE000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.founder.com.cn/cnashleyx.exe, 00000000.00000003.651004266.00000000060BE000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://smtp.phuboatrading-vn.comashleyx.exe, 00000004.00000002.913712228.00000000035BF000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.carterandcone.comItaashleyx.exe, 00000000.00000003.651354790.00000000060BF000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers/frere-user.htmlashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmp, ashleyx.exe, 00000000.00000003.653796968.00000000060BF000.00000004.00000001.sdmp, ashleyx.exe, 00000000.00000003.653743073.00000000060BF000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://wcmZQs.comashleyx.exe, 00000004.00000002.913258103.0000000003251000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers/cabarga.htmlashleyx.exe, 00000000.00000003.654413827.00000000060C0000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.jiyu-kobo.co.jp/ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmp, ashleyx.exe, 00000000.00000003.651990337.000000000609B000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers0._ashleyx.exe, 00000000.00000003.654739623.00000000060C0000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.com/designers8ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmp, ashleyx.exe, 00000000.00000003.653796968.00000000060BF000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.jiyu-kobo.co.jp/VKashleyx.exe, 00000000.00000003.651812477.0000000006095000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.tiro.comicashleyx.exe, 00000000.00000003.651493647.00000000060C0000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers/ashleyx.exe, 00000000.00000003.653135407.00000000060BE000.00000004.00000001.sdmpfalse
                                                              		high

                                                              Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              79.141.164.23
                                                              		smtp.phuboatrading-vn.comBulgaria
                                                              		59711HZ-NL-ASGBtrue

                                                              General Information

                                                              Joe Sandbox Version:32.0.0 Black Diamond
                                                              Analysis ID:404252
                                                              Start date:04.05.2021
                                                              Start time:20:49:34
                                                              Joe Sandbox Product:CloudBasic
                                                              Overall analysis duration:0h 9m 15s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Sample file name:ashleyx.exe
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                              Number of analysed new started processes analysed:18
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • HDC enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Detection:MAL
                                                              Classification:mal100.troj.spyw.evad.winEXE@3/2@2/1
                                                              EGA Information:Failed
                                                              HDC Information:Failed
                                                              HCA Information:
                                                              • Successful, ratio: 99%
                                                              • Number of executed functions: 38
                                                              • Number of non-executed functions: 16
                                                              Cookbook Comments:
                                                              • Adjust boot time
                                                              • Enable AMSI
                                                              • Found application associated with file extension: .exe
                                                              Warnings:
                                                              Show All
                                                              • Excluded IPs from analysis (whitelisted): 104.42.151.234, 184.87.213.153, 13.88.21.125, 104.43.139.144, 20.82.210.154, 92.122.213.247, 92.122.213.194, 2.20.142.209, 2.20.142.210, 52.155.217.156, 20.54.26.129
                                                              • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              20:50:33API Interceptor720x Sleep call for process: ashleyx.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              79.141.164.23Purchase Inquiry 040521.exeGet hashmaliciousBrowse
                                                                PO_001412.docGet hashmaliciousBrowse

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  smtp.phuboatrading-vn.comPO_001412.docGet hashmaliciousBrowse
                                                                  • 79.141.164.23

                                                                  ASN

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  HZ-NL-ASGBPurchase Inquiry 040521.exeGet hashmaliciousBrowse
                                                                  • 79.141.164.23
                                                                  PO_001412.docGet hashmaliciousBrowse
                                                                  • 79.141.164.23
                                                                  DgWRWQ2oYs.exeGet hashmaliciousBrowse
                                                                  • 5.149.255.204
                                                                  Sirus.exeGet hashmaliciousBrowse
                                                                  • 5.149.255.204
                                                                  tskhoni.exeGet hashmaliciousBrowse
                                                                  • 185.81.115.14
                                                                  6IGbftBsBg.exeGet hashmaliciousBrowse
                                                                  • 5.149.255.204
                                                                  ikoAImKWvI.exeGet hashmaliciousBrowse
                                                                  • 5.149.255.204
                                                                  yPkfbflyoh.exeGet hashmaliciousBrowse
                                                                  • 5.149.255.204
                                                                  SecuriteInfo.com.Heur.24862.exeGet hashmaliciousBrowse
                                                                  • 185.81.114.183
                                                                  JYDy1dAHdW.exeGet hashmaliciousBrowse
                                                                  • 5.149.255.204
                                                                  EppTbowa74.exeGet hashmaliciousBrowse
                                                                  • 5.149.255.204
                                                                  5rmW4DWq66.exeGet hashmaliciousBrowse
                                                                  • 5.149.255.204
                                                                  886t3PbVKb.apkGet hashmaliciousBrowse
                                                                  • 5.149.249.226
                                                                  PO_07712.docGet hashmaliciousBrowse
                                                                  • 79.141.165.38
                                                                  IMG_00671.docGet hashmaliciousBrowse
                                                                  • 79.141.165.38
                                                                  Purchase Order.docGet hashmaliciousBrowse
                                                                  • 79.141.165.38
                                                                  sample new order.docGet hashmaliciousBrowse
                                                                  • 79.141.165.38
                                                                  IMG_144907.docGet hashmaliciousBrowse
                                                                  • 79.141.165.38
                                                                  IMG_497927.docGet hashmaliciousBrowse
                                                                  • 79.141.165.38
                                                                  9oUx9PzdSA.exeGet hashmaliciousBrowse
                                                                  • 79.141.164.163

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ashleyx.exe.log
                                                                  Process:C:\Users\user\Desktop\ashleyx.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1216
                                                                  Entropy (8bit):5.355304211458859
                                                                  Encrypted:false
                                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                  MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                  SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                  SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                  SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                  Malicious:true
                                                                  Reputation:high, very likely benign file
                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                  C:\Users\user\AppData\Roaming\tmpjcm5c.fha\Chrome\Default\Cookies
                                                                  Process:C:\Users\user\Desktop\ashleyx.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                  Category:dropped
                                                                  Size (bytes):20480
                                                                  Entropy (8bit):0.7006690334145785
                                                                  Encrypted:false
                                                                  SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
                                                                  MD5:A7FE10DA330AD03BF22DC9AC76BBB3E4
                                                                  SHA1:1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
                                                                  SHA-256:8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
                                                                  SHA-512:1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
                                                                  Malicious:false
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):7.27303210920636
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  File name:ashleyx.exe
                                                                  File size:1000960
                                                                  MD5:34d4452c1b344685e3f5fd7d0e9640a1
                                                                  SHA1:bb42e71329d2ad4baff54600020eb7053cc53026
                                                                  SHA256:65e210b78d73141c61b7087dce60499ca6c225e1b028d3951589c93baa8f0668
                                                                  SHA512:516b564b12a80d67cd4437af8ca86acd65b3ad8536786da3e6851cbbf8ffad33f47ca1f0c9dcd8e83002d4c1dc6d387aa6dc5759be04da782e8d1e99b0b1fde9
                                                                  SSDEEP:12288:MrloLLoS60/K7yh07qG3wBrCFfzTmjDjZLSMRoRf/mq4C6K+mgEie4Qi/Ibm+OFO:qoLA75wppvZy39uKhgEiQiga+OF
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O.X...............0..<...........Z... ...`....@.. ....................................@................................

                                                                  File Icon

                                                                  Icon Hash:00828e8e8686b000

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x4f5aae
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                  Time Stamp:0x9C58D04F [Thu Feb 13 13:29:51 2053 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:v4.0.30319
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xf5a580x53.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xf60000x5c0.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xf80000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000xf3ab40xf3c00False0.648625801282data7.27698416733IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0xf60000x5c00x600False0.426432291667data4.14428356853IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0xf80000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_VERSION0xf60a00x334data
                                                                  RT_MANIFEST0xf63d40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Version Infos

                                                                  DescriptionData
                                                                  Translation0x0000 0x04b0
                                                                  LegalCopyrightCopyright 2020
                                                                  Assembly Version1.0.0.0
                                                                  InternalNameRZVF0aMBAABaAKZ.exe
                                                                  FileVersion1.0.0.0
                                                                  CompanyName
                                                                  LegalTrademarks
                                                                  Comments
                                                                  ProductNameInterface
                                                                  ProductVersion1.0.0.0
                                                                  FileDescriptionInterface
                                                                  OriginalFilenameRZVF0aMBAABaAKZ.exe

                                                                  Network Behavior

                                                                  Snort IDS Alerts

                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                  05/04/21-20:52:19.790611TCP2030171ET TROJAN AgentTesla Exfil Via SMTP4976325192.168.2.479.141.164.23
                                                                  05/04/21-20:52:22.215980TCP2030171ET TROJAN AgentTesla Exfil Via SMTP4976425192.168.2.479.141.164.23

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  May 4, 2021 20:52:19.288433075 CEST4976325192.168.2.479.141.164.23
                                                                  May 4, 2021 20:52:19.338658094 CEST254976379.141.164.23192.168.2.4
                                                                  May 4, 2021 20:52:19.338845968 CEST4976325192.168.2.479.141.164.23
                                                                  May 4, 2021 20:52:19.471122026 CEST254976379.141.164.23192.168.2.4
                                                                  May 4, 2021 20:52:19.471648932 CEST4976325192.168.2.479.141.164.23
                                                                  May 4, 2021 20:52:19.522794962 CEST254976379.141.164.23192.168.2.4
                                                                  May 4, 2021 20:52:19.522828102 CEST254976379.141.164.23192.168.2.4
                                                                  May 4, 2021 20:52:19.524703979 CEST4976325192.168.2.479.141.164.23
                                                                  May 4, 2021 20:52:19.577527046 CEST254976379.141.164.23192.168.2.4
                                                                  May 4, 2021 20:52:19.578166962 CEST4976325192.168.2.479.141.164.23
                                                                  May 4, 2021 20:52:19.629369974 CEST254976379.141.164.23192.168.2.4
                                                                  May 4, 2021 20:52:19.630331039 CEST4976325192.168.2.479.141.164.23
                                                                  May 4, 2021 20:52:19.683577061 CEST254976379.141.164.23192.168.2.4
                                                                  May 4, 2021 20:52:19.684187889 CEST4976325192.168.2.479.141.164.23
                                                                  May 4, 2021 20:52:19.737844944 CEST254976379.141.164.23192.168.2.4
                                                                  May 4, 2021 20:52:19.738210917 CEST4976325192.168.2.479.141.164.23
                                                                  May 4, 2021 20:52:19.788660049 CEST254976379.141.164.23192.168.2.4
                                                                  May 4, 2021 20:52:19.790611029 CEST4976325192.168.2.479.141.164.23
                                                                  May 4, 2021 20:52:19.790805101 CEST4976325192.168.2.479.141.164.23
                                                                  May 4, 2021 20:52:19.791933060 CEST4976325192.168.2.479.141.164.23
                                                                  May 4, 2021 20:52:19.792140961 CEST4976325192.168.2.479.141.164.23
                                                                  May 4, 2021 20:52:19.842776060 CEST254976379.141.164.23192.168.2.4
                                                                  May 4, 2021 20:52:19.844707966 CEST254976379.141.164.23192.168.2.4
                                                                  May 4, 2021 20:52:19.849090099 CEST254976379.141.164.23192.168.2.4
                                                                  May 4, 2021 20:52:19.889420033 CEST4976325192.168.2.479.141.164.23
                                                                  May 4, 2021 20:52:21.306401014 CEST4976325192.168.2.479.141.164.23
                                                                  May 4, 2021 20:52:21.356863022 CEST254976379.141.164.23192.168.2.4
                                                                  May 4, 2021 20:52:21.356889963 CEST254976379.141.164.23192.168.2.4
                                                                  May 4, 2021 20:52:21.357558012 CEST4976325192.168.2.479.141.164.23
                                                                  May 4, 2021 20:52:21.357758999 CEST4976325192.168.2.479.141.164.23
                                                                  May 4, 2021 20:52:21.407876015 CEST254976379.141.164.23192.168.2.4
                                                                  May 4, 2021 20:52:21.776424885 CEST4976425192.168.2.479.141.164.23
                                                                  May 4, 2021 20:52:21.826559067 CEST254976479.141.164.23192.168.2.4
                                                                  May 4, 2021 20:52:21.826730967 CEST4976425192.168.2.479.141.164.23
                                                                  May 4, 2021 20:52:21.899658918 CEST254976479.141.164.23192.168.2.4
                                                                  May 4, 2021 20:52:21.900046110 CEST4976425192.168.2.479.141.164.23
                                                                  May 4, 2021 20:52:21.950335979 CEST254976479.141.164.23192.168.2.4
                                                                  May 4, 2021 20:52:21.950547934 CEST254976479.141.164.23192.168.2.4
                                                                  May 4, 2021 20:52:21.950968027 CEST4976425192.168.2.479.141.164.23
                                                                  May 4, 2021 20:52:22.002002001 CEST254976479.141.164.23192.168.2.4
                                                                  May 4, 2021 20:52:22.002566099 CEST4976425192.168.2.479.141.164.23
                                                                  May 4, 2021 20:52:22.053567886 CEST254976479.141.164.23192.168.2.4
                                                                  May 4, 2021 20:52:22.056337118 CEST4976425192.168.2.479.141.164.23
                                                                  May 4, 2021 20:52:22.107652903 CEST254976479.141.164.23192.168.2.4
                                                                  May 4, 2021 20:52:22.108443022 CEST4976425192.168.2.479.141.164.23
                                                                  May 4, 2021 20:52:22.163306952 CEST254976479.141.164.23192.168.2.4
                                                                  May 4, 2021 20:52:22.163737059 CEST4976425192.168.2.479.141.164.23
                                                                  May 4, 2021 20:52:22.213977098 CEST254976479.141.164.23192.168.2.4
                                                                  May 4, 2021 20:52:22.215795040 CEST4976425192.168.2.479.141.164.23
                                                                  May 4, 2021 20:52:22.215980053 CEST4976425192.168.2.479.141.164.23
                                                                  May 4, 2021 20:52:22.216200113 CEST4976425192.168.2.479.141.164.23
                                                                  May 4, 2021 20:52:22.216372967 CEST4976425192.168.2.479.141.164.23
                                                                  May 4, 2021 20:52:22.216578960 CEST4976425192.168.2.479.141.164.23
                                                                  May 4, 2021 20:52:22.216739893 CEST4976425192.168.2.479.141.164.23
                                                                  May 4, 2021 20:52:22.216830015 CEST4976425192.168.2.479.141.164.23
                                                                  May 4, 2021 20:52:22.216959000 CEST4976425192.168.2.479.141.164.23
                                                                  May 4, 2021 20:52:22.266311884 CEST254976479.141.164.23192.168.2.4
                                                                  May 4, 2021 20:52:22.266505003 CEST254976479.141.164.23192.168.2.4
                                                                  May 4, 2021 20:52:22.266741991 CEST254976479.141.164.23192.168.2.4
                                                                  May 4, 2021 20:52:22.266904116 CEST254976479.141.164.23192.168.2.4
                                                                  May 4, 2021 20:52:22.270330906 CEST254976479.141.164.23192.168.2.4
                                                                  May 4, 2021 20:52:22.311584949 CEST4976425192.168.2.479.141.164.23

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  May 4, 2021 20:50:15.009428024 CEST4971453192.168.2.48.8.8.8
                                                                  May 4, 2021 20:50:15.068043947 CEST53497148.8.8.8192.168.2.4
                                                                  May 4, 2021 20:50:16.546878099 CEST5802853192.168.2.48.8.8.8
                                                                  May 4, 2021 20:50:16.598330975 CEST53580288.8.8.8192.168.2.4
                                                                  May 4, 2021 20:50:17.661214113 CEST5309753192.168.2.48.8.8.8
                                                                  May 4, 2021 20:50:17.710062027 CEST53530978.8.8.8192.168.2.4
                                                                  May 4, 2021 20:50:17.882200956 CEST4925753192.168.2.48.8.8.8
                                                                  May 4, 2021 20:50:17.940947056 CEST53492578.8.8.8192.168.2.4
                                                                  May 4, 2021 20:50:19.328146935 CEST6238953192.168.2.48.8.8.8
                                                                  May 4, 2021 20:50:19.376792908 CEST53623898.8.8.8192.168.2.4
                                                                  May 4, 2021 20:50:20.544532061 CEST4991053192.168.2.48.8.8.8
                                                                  May 4, 2021 20:50:20.597779989 CEST53499108.8.8.8192.168.2.4
                                                                  May 4, 2021 20:50:21.797899008 CEST5585453192.168.2.48.8.8.8
                                                                  May 4, 2021 20:50:21.851433992 CEST53558548.8.8.8192.168.2.4
                                                                  May 4, 2021 20:50:23.599337101 CEST6454953192.168.2.48.8.8.8
                                                                  May 4, 2021 20:50:23.648137093 CEST53645498.8.8.8192.168.2.4
                                                                  May 4, 2021 20:50:24.804491997 CEST6315353192.168.2.48.8.8.8
                                                                  May 4, 2021 20:50:24.853121042 CEST53631538.8.8.8192.168.2.4
                                                                  May 4, 2021 20:50:26.100614071 CEST5299153192.168.2.48.8.8.8
                                                                  May 4, 2021 20:50:26.152251005 CEST53529918.8.8.8192.168.2.4
                                                                  May 4, 2021 20:50:27.316915035 CEST5370053192.168.2.48.8.8.8
                                                                  May 4, 2021 20:50:27.365577936 CEST53537008.8.8.8192.168.2.4
                                                                  May 4, 2021 20:50:28.476697922 CEST5172653192.168.2.48.8.8.8
                                                                  May 4, 2021 20:50:28.529735088 CEST53517268.8.8.8192.168.2.4
                                                                  May 4, 2021 20:50:29.604787111 CEST5679453192.168.2.48.8.8.8
                                                                  May 4, 2021 20:50:29.653872013 CEST53567948.8.8.8192.168.2.4
                                                                  May 4, 2021 20:50:30.989475965 CEST5653453192.168.2.48.8.8.8
                                                                  May 4, 2021 20:50:31.039660931 CEST53565348.8.8.8192.168.2.4
                                                                  May 4, 2021 20:50:32.685702085 CEST5662753192.168.2.48.8.8.8
                                                                  May 4, 2021 20:50:32.739552021 CEST53566278.8.8.8192.168.2.4
                                                                  May 4, 2021 20:50:33.894110918 CEST5662153192.168.2.48.8.8.8
                                                                  May 4, 2021 20:50:33.942657948 CEST53566218.8.8.8192.168.2.4
                                                                  May 4, 2021 20:50:35.082353115 CEST6311653192.168.2.48.8.8.8
                                                                  May 4, 2021 20:50:35.133270979 CEST53631168.8.8.8192.168.2.4
                                                                  May 4, 2021 20:50:36.161096096 CEST6407853192.168.2.48.8.8.8
                                                                  May 4, 2021 20:50:36.220890999 CEST53640788.8.8.8192.168.2.4
                                                                  May 4, 2021 20:50:38.801924944 CEST6480153192.168.2.48.8.8.8
                                                                  May 4, 2021 20:50:38.851711035 CEST53648018.8.8.8192.168.2.4
                                                                  May 4, 2021 20:50:48.271702051 CEST6172153192.168.2.48.8.8.8
                                                                  May 4, 2021 20:50:48.320451021 CEST53617218.8.8.8192.168.2.4
                                                                  May 4, 2021 20:50:52.639288902 CEST5125553192.168.2.48.8.8.8
                                                                  May 4, 2021 20:50:52.701081038 CEST53512558.8.8.8192.168.2.4
                                                                  May 4, 2021 20:51:09.072490931 CEST6152253192.168.2.48.8.8.8
                                                                  May 4, 2021 20:51:09.134953976 CEST53615228.8.8.8192.168.2.4
                                                                  May 4, 2021 20:51:09.481513977 CEST5233753192.168.2.48.8.8.8
                                                                  May 4, 2021 20:51:09.609930992 CEST53523378.8.8.8192.168.2.4
                                                                  May 4, 2021 20:51:10.272124052 CEST5504653192.168.2.48.8.8.8
                                                                  May 4, 2021 20:51:10.558665991 CEST53550468.8.8.8192.168.2.4
                                                                  May 4, 2021 20:51:11.211080074 CEST4961253192.168.2.48.8.8.8
                                                                  May 4, 2021 20:51:11.346826077 CEST53496128.8.8.8192.168.2.4
                                                                  May 4, 2021 20:51:11.583136082 CEST4928553192.168.2.48.8.8.8
                                                                  May 4, 2021 20:51:11.658024073 CEST53492858.8.8.8192.168.2.4
                                                                  May 4, 2021 20:51:11.788130045 CEST5060153192.168.2.48.8.8.8
                                                                  May 4, 2021 20:51:12.046248913 CEST53506018.8.8.8192.168.2.4
                                                                  May 4, 2021 20:51:12.632498980 CEST6087553192.168.2.48.8.8.8
                                                                  May 4, 2021 20:51:12.692610025 CEST53608758.8.8.8192.168.2.4
                                                                  May 4, 2021 20:51:13.356338024 CEST5644853192.168.2.48.8.8.8
                                                                  May 4, 2021 20:51:13.413548946 CEST53564488.8.8.8192.168.2.4
                                                                  May 4, 2021 20:51:14.240776062 CEST5917253192.168.2.48.8.8.8
                                                                  May 4, 2021 20:51:14.297679901 CEST53591728.8.8.8192.168.2.4
                                                                  May 4, 2021 20:51:16.911333084 CEST6242053192.168.2.48.8.8.8
                                                                  May 4, 2021 20:51:16.968554020 CEST53624208.8.8.8192.168.2.4
                                                                  May 4, 2021 20:51:18.042967081 CEST6057953192.168.2.48.8.8.8
                                                                  May 4, 2021 20:51:18.100119114 CEST53605798.8.8.8192.168.2.4
                                                                  May 4, 2021 20:51:19.161361933 CEST5018353192.168.2.48.8.8.8
                                                                  May 4, 2021 20:51:19.221544981 CEST53501838.8.8.8192.168.2.4
                                                                  May 4, 2021 20:51:25.160984039 CEST6153153192.168.2.48.8.8.8
                                                                  May 4, 2021 20:51:25.220212936 CEST53615318.8.8.8192.168.2.4
                                                                  May 4, 2021 20:51:57.859030008 CEST4922853192.168.2.48.8.8.8
                                                                  May 4, 2021 20:51:57.907628059 CEST53492288.8.8.8192.168.2.4
                                                                  May 4, 2021 20:51:59.716505051 CEST5979453192.168.2.48.8.8.8
                                                                  May 4, 2021 20:51:59.774081945 CEST53597948.8.8.8192.168.2.4
                                                                  May 4, 2021 20:52:19.106405020 CEST5591653192.168.2.48.8.8.8
                                                                  May 4, 2021 20:52:19.160440922 CEST53559168.8.8.8192.168.2.4
                                                                  May 4, 2021 20:52:21.710552931 CEST5275253192.168.2.48.8.8.8
                                                                  May 4, 2021 20:52:21.774441004 CEST53527528.8.8.8192.168.2.4

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  May 4, 2021 20:52:19.106405020 CEST192.168.2.48.8.8.80xdf8fStandard query (0)smtp.phuboatrading-vn.comA (IP address)IN (0x0001)
                                                                  May 4, 2021 20:52:21.710552931 CEST192.168.2.48.8.8.80x6486Standard query (0)smtp.phuboatrading-vn.comA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  May 4, 2021 20:52:19.160440922 CEST8.8.8.8192.168.2.40xdf8fNo error (0)smtp.phuboatrading-vn.com79.141.164.23A (IP address)IN (0x0001)
                                                                  May 4, 2021 20:52:21.774441004 CEST8.8.8.8192.168.2.40x6486No error (0)smtp.phuboatrading-vn.com79.141.164.23A (IP address)IN (0x0001)

                                                                  SMTP Packets

                                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                                  May 4, 2021 20:52:19.471122026 CEST254976379.141.164.23192.168.2.4220 smtp.phuboatrading-vn.com ESMTP
                                                                  May 4, 2021 20:52:19.471648932 CEST4976325192.168.2.479.141.164.23EHLO 305090
                                                                  May 4, 2021 20:52:19.522828102 CEST254976379.141.164.23192.168.2.4250-smtp.phuboatrading-vn.com
                                                                  250-PIPELINING
                                                                  250-SIZE 20480000
                                                                  250-ETRN
                                                                  250-AUTH PLAIN LOGIN
                                                                  250-AUTH=PLAIN LOGIN
                                                                  250-ENHANCEDSTATUSCODES
                                                                  250-8BITMIME
                                                                  250 DSN
                                                                  May 4, 2021 20:52:19.524703979 CEST4976325192.168.2.479.141.164.23AUTH login bG9nc0BwaHVib2F0cmFkaW5nLXZuLmNvbQ==
                                                                  May 4, 2021 20:52:19.577527046 CEST254976379.141.164.23192.168.2.4334 UGFzc3dvcmQ6
                                                                  May 4, 2021 20:52:19.629369974 CEST254976379.141.164.23192.168.2.4235 2.7.0 Authentication successful
                                                                  May 4, 2021 20:52:19.630331039 CEST4976325192.168.2.479.141.164.23MAIL FROM:<logs@phuboatrading-vn.com>
                                                                  May 4, 2021 20:52:19.683577061 CEST254976379.141.164.23192.168.2.4250 2.1.0 Ok
                                                                  May 4, 2021 20:52:19.684187889 CEST4976325192.168.2.479.141.164.23RCPT TO:<mylogs@phuboatrading-vn.com>
                                                                  May 4, 2021 20:52:19.737844944 CEST254976379.141.164.23192.168.2.4250 2.1.5 Ok
                                                                  May 4, 2021 20:52:19.738210917 CEST4976325192.168.2.479.141.164.23DATA
                                                                  May 4, 2021 20:52:19.788660049 CEST254976379.141.164.23192.168.2.4354 End data with <CR><LF>.<CR><LF>
                                                                  May 4, 2021 20:52:19.792140961 CEST4976325192.168.2.479.141.164.23.
                                                                  May 4, 2021 20:52:19.849090099 CEST254976379.141.164.23192.168.2.4250 2.0.0 Ok: queued as B04A9429A0
                                                                  May 4, 2021 20:52:21.306401014 CEST4976325192.168.2.479.141.164.23QUIT
                                                                  May 4, 2021 20:52:21.356863022 CEST254976379.141.164.23192.168.2.4221 2.0.0 Bye
                                                                  May 4, 2021 20:52:21.899658918 CEST254976479.141.164.23192.168.2.4220 smtp.phuboatrading-vn.com ESMTP
                                                                  May 4, 2021 20:52:21.900046110 CEST4976425192.168.2.479.141.164.23EHLO 305090
                                                                  May 4, 2021 20:52:21.950547934 CEST254976479.141.164.23192.168.2.4250-smtp.phuboatrading-vn.com
                                                                  250-PIPELINING
                                                                  250-SIZE 20480000
                                                                  250-ETRN
                                                                  250-AUTH PLAIN LOGIN
                                                                  250-AUTH=PLAIN LOGIN
                                                                  250-ENHANCEDSTATUSCODES
                                                                  250-8BITMIME
                                                                  250 DSN
                                                                  May 4, 2021 20:52:21.950968027 CEST4976425192.168.2.479.141.164.23AUTH login bG9nc0BwaHVib2F0cmFkaW5nLXZuLmNvbQ==
                                                                  May 4, 2021 20:52:22.002002001 CEST254976479.141.164.23192.168.2.4334 UGFzc3dvcmQ6
                                                                  May 4, 2021 20:52:22.053567886 CEST254976479.141.164.23192.168.2.4235 2.7.0 Authentication successful
                                                                  May 4, 2021 20:52:22.056337118 CEST4976425192.168.2.479.141.164.23MAIL FROM:<logs@phuboatrading-vn.com>
                                                                  May 4, 2021 20:52:22.107652903 CEST254976479.141.164.23192.168.2.4250 2.1.0 Ok
                                                                  May 4, 2021 20:52:22.108443022 CEST4976425192.168.2.479.141.164.23RCPT TO:<mylogs@phuboatrading-vn.com>
                                                                  May 4, 2021 20:52:22.163306952 CEST254976479.141.164.23192.168.2.4250 2.1.5 Ok
                                                                  May 4, 2021 20:52:22.163737059 CEST4976425192.168.2.479.141.164.23DATA
                                                                  May 4, 2021 20:52:22.213977098 CEST254976479.141.164.23192.168.2.4354 End data with <CR><LF>.<CR><LF>
                                                                  May 4, 2021 20:52:22.216959000 CEST4976425192.168.2.479.141.164.23.
                                                                  May 4, 2021 20:52:22.270330906 CEST254976479.141.164.23192.168.2.4250 2.0.0 Ok: queued as 23E1F429A0

                                                                  Code Manipulations

                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  Analysis Process: ashleyx.exe PID: 7048 Parent PID: 5940

                                                                  General

                                                                  Start time:20:50:22
                                                                  Start date:04/05/2021
                                                                  Path:C:\Users\user\Desktop\ashleyx.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\ashleyx.exe'
                                                                  Imagebase:0xd40000
                                                                  File size:1000960 bytes
                                                                  MD5 hash:34D4452C1B344685E3F5FD7D0E9640A1
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.683944483.0000000004D15000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.680319941.00000000040C9000.00000004.00000001.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  Chronological Activities

                                                                  Analysis Process: ashleyx.exe PID: 2204 Parent PID: 7048

                                                                  General

                                                                  Start time:20:50:34
                                                                  Start date:04/05/2021
                                                                  Path:C:\Users\user\Desktop\ashleyx.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:{path}
                                                                  Imagebase:0xec0000
                                                                  File size:1000960 bytes
                                                                  MD5 hash:34D4452C1B344685E3F5FD7D0E9640A1
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.911793295.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.913258103.0000000003251000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.913258103.0000000003251000.00000004.00000001.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  Chronological Activities

                                                                  Disassembly

                                                                  Code Analysis

                                                                  Reset < >

                                                                    Analysis Process: ashleyx.exe PID: 7048 Parent PID: 5940 ashleyx.exeCOMMON

                                                                    Executed Functions

                                                                    Function 07B125A0, Relevance: 2.8, Strings: 2, Instructions: 342COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: M!$M!
                                                                    • API String ID: 0-1211460756
                                                                    • Opcode ID: f8f488e7de8c0d9f6d40bec45429c9e04a7ccf9830e0e09fe9441c00f12238b0
                                                                    • Instruction ID: 6a158308bff7fe2775239f91a4dc921ed15c376bca545f2e2c0048c1c2eaf3a3
                                                                    • Opcode Fuzzy Hash: f8f488e7de8c0d9f6d40bec45429c9e04a7ccf9830e0e09fe9441c00f12238b0
                                                                    • Instruction Fuzzy Hash: 44C1BAB0F0420A8BEF08CFB9C9516EEBBB2FF89254F548169D515E7394DB3499418BA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 07B12091, Relevance: 2.8, Strings: 2, Instructions: 284COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: uK`V$Q_R
                                                                    • API String ID: 0-970276977
                                                                    • Opcode ID: 7e60c6595ba924e5043b716dfca56de729545849af6f83bec4f9399988c86bd1
                                                                    • Instruction ID: 9bad03255aaa8c89fe95b417b6f2b3c2c5b79727ca09758efb28daefcdf53508
                                                                    • Opcode Fuzzy Hash: 7e60c6595ba924e5043b716dfca56de729545849af6f83bec4f9399988c86bd1
                                                                    • Instruction Fuzzy Hash: 73B146B4E042198FDB08CFA9C9816DEFBF2FF89300F55C5A6D508AB258D7349942CB65
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 07B120A0, Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: uK`V
                                                                    • API String ID: 0-3869209333
                                                                    • Opcode ID: d79d5e185d9140b36e7da695f8c660e7cb086e21f5ca15c0ca50ef9c2317364e
                                                                    • Instruction ID: c526e938e07e4a0e1da281f28d75e140f2f74e13eae349d0782a05a5bdebb7ce
                                                                    • Opcode Fuzzy Hash: d79d5e185d9140b36e7da695f8c660e7cb086e21f5ca15c0ca50ef9c2317364e
                                                                    • Instruction Fuzzy Hash: A3B136B0E04219CFDB08CFA9C9819DEFBF2FF89300F65C166D519AB218D73099428B65
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 07B14EF8, Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: nh/:
                                                                    • API String ID: 0-1751721067
                                                                    • Opcode ID: a89e2c39fdfe76f465576ec7396de892f369fad88c2c1042bb5409fcf05cd4bd
                                                                    • Instruction ID: 03a94494c9700868538b60ab50b6e44cfdd84c4c79b26361fc226ee41db4cbf3
                                                                    • Opcode Fuzzy Hash: a89e2c39fdfe76f465576ec7396de892f369fad88c2c1042bb5409fcf05cd4bd
                                                                    • Instruction Fuzzy Hash: 5B51E9B1E1461A8BDB28CF6AC944799BBB6FFD9300F1082E6D509A7214EB705A918F40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 07B14EE8, Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: nh/:
                                                                    • API String ID: 0-1751721067
                                                                    • Opcode ID: 46367a6a4535902627132f840b9703acdc437850d0c9a64221df5417fa74d4b6
                                                                    • Instruction ID: 1d7cc93f0ff33af14c1493b5030a5682507395682a5b41f4710ea436647e5e8c
                                                                    • Opcode Fuzzy Hash: 46367a6a4535902627132f840b9703acdc437850d0c9a64221df5417fa74d4b6
                                                                    • Instruction Fuzzy Hash: DA41E9B5D1461ACBDB28CF6ACD44799FBB2BFC9300F14C2EAD508A7614EB705A858F40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 07B10040, Relevance: .1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a1342015097bf30be57e896ec266d101a69d321e8d835ba0bd7d0d57155abcc0
                                                                    • Instruction ID: 0dbf10da9d361fe5bc0b8ca8a0d84e6de2e50611312d67f4992e4a35ebaddddf
                                                                    • Opcode Fuzzy Hash: a1342015097bf30be57e896ec266d101a69d321e8d835ba0bd7d0d57155abcc0
                                                                    • Instruction Fuzzy Hash: BE21EDB1E056189BEB58CF6BD84469EFBF3BFC8200F44C5BAC508A7254EB3419958F51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02F9C168, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32 ref: 02F9C1C8
                                                                    • GetCurrentThread.KERNEL32 ref: 02F9C205
                                                                    • GetCurrentProcess.KERNEL32 ref: 02F9C242
                                                                    • GetCurrentThreadId.KERNEL32 ref: 02F9C29B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.675658353.0000000002F90000.00000040.00000001.sdmp, Offset: 02F90000, based on PE: false
                                                                    Similarity
                                                                    • API ID: Current$ProcessThread
                                                                    • String ID:
                                                                    • API String ID: 2063062207-0
                                                                    • Opcode ID: e1883c5bfc99c5802a36e7192c928728b49d75f9f303f74a595c774c626ef668
                                                                    • Instruction ID: ad5572106fc76922448a29db60d98ce98198f0d0840296c32d9c23f71faf1bef
                                                                    • Opcode Fuzzy Hash: e1883c5bfc99c5802a36e7192c928728b49d75f9f303f74a595c774c626ef668
                                                                    • Instruction Fuzzy Hash: F45154B49002498FEB10CFAAC58879EBBF1AF89318F20805AE519A7250CB746844CF65
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02F9C158, Relevance: 6.1, APIs: 4, Instructions: 119threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32 ref: 02F9C1C8
                                                                    • GetCurrentThread.KERNEL32 ref: 02F9C205
                                                                    • GetCurrentProcess.KERNEL32 ref: 02F9C242
                                                                    • GetCurrentThreadId.KERNEL32 ref: 02F9C29B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.675658353.0000000002F90000.00000040.00000001.sdmp, Offset: 02F90000, based on PE: false
                                                                    Similarity
                                                                    • API ID: Current$ProcessThread
                                                                    • String ID:
                                                                    • API String ID: 2063062207-0
                                                                    • Opcode ID: 929e41652cc0fe8699d35d99101a7bcb1a592849af1c23b1c709234cb489b6f1
                                                                    • Instruction ID: cc755fff3da87618842e16875261ac3e8571443440e5cc159b7a62526f5e0bfd
                                                                    • Opcode Fuzzy Hash: 929e41652cc0fe8699d35d99101a7bcb1a592849af1c23b1c709234cb489b6f1
                                                                    • Instruction Fuzzy Hash: EF5156B49002498FEB50CFA9D5887DEBFF1BF89308F24846AE519B7250CB789944CF65
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02F99E88, Relevance: 1.7, APIs: 1, Instructions: 191COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 02F9A0CE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.675658353.0000000002F90000.00000040.00000001.sdmp, Offset: 02F90000, based on PE: false
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: 47bf75c23f9c1bba6e582b79be471ff0336b5e2721b47120662c09e0823c83c1
                                                                    • Instruction ID: 7e5d6ffe226e502cdfe1be7baf8b42be429be621f431de0592be3e24a9bb852f
                                                                    • Opcode Fuzzy Hash: 47bf75c23f9c1bba6e582b79be471ff0336b5e2721b47120662c09e0823c83c1
                                                                    • Instruction Fuzzy Hash: 88714570A00B048FEB24DF2AD49175AB7F1BF88348F11892DE54ADBA50DB75E845CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 07B16ABC, Relevance: 1.6, APIs: 1, Instructions: 147processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 07B16C1B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID: CreateProcess
                                                                    • String ID:
                                                                    • API String ID: 963392458-0
                                                                    • Opcode ID: 2c7e358e796d9e05af3d84e9ab080c72bedb8fe1e7c73fef4a2eaa38337ac01a
                                                                    • Instruction ID: ec929886117124779f79c1508d26a424448445e8ef78ef1ada4fd87b74405d73
                                                                    • Opcode Fuzzy Hash: 2c7e358e796d9e05af3d84e9ab080c72bedb8fe1e7c73fef4a2eaa38337ac01a
                                                                    • Instruction Fuzzy Hash: CA51F5B1900329DFEF64CF99C880BDDBBB5BF48314F15809AE908A7250DB755A89CF61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 07B16AC8, Relevance: 1.6, APIs: 1, Instructions: 143processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 07B16C1B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID: CreateProcess
                                                                    • String ID:
                                                                    • API String ID: 963392458-0
                                                                    • Opcode ID: 85fb69357558e82eab941deb569e1b781d28c2215a20e56843ca8505c640b2ad
                                                                    • Instruction ID: f0e673b4dd67d9cdfd59de12106331680f0b3a697947b4fdf6e1b065a0ad4d0c
                                                                    • Opcode Fuzzy Hash: 85fb69357558e82eab941deb569e1b781d28c2215a20e56843ca8505c640b2ad
                                                                    • Instruction Fuzzy Hash: 8651E6B19003199FEF64CF99C880BDDBBB5EF48314F15809AE908A7250DB755A85CF61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02F956AC, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateActCtxA.KERNEL32(?), ref: 02F95769
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.675658353.0000000002F90000.00000040.00000001.sdmp, Offset: 02F90000, based on PE: false
                                                                    Similarity
                                                                    • API ID: Create
                                                                    • String ID:
                                                                    • API String ID: 2289755597-0
                                                                    • Opcode ID: 1c7fd86079f784b91908f6ca40a8b7bb5e36e18c57f05cce54ab5620e72bab75
                                                                    • Instruction ID: 4bcec845762cba12054e9c69d127088c5482669290719a7f93a1938c7ba5171d
                                                                    • Opcode Fuzzy Hash: 1c7fd86079f784b91908f6ca40a8b7bb5e36e18c57f05cce54ab5620e72bab75
                                                                    • Instruction Fuzzy Hash: 764102B1C0061CCAEB24CFA9C884BDDBBB5FF48308F20805AD509AB250DB755A86CF61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02F93E50, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateActCtxA.KERNEL32(?), ref: 02F95769
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.675658353.0000000002F90000.00000040.00000001.sdmp, Offset: 02F90000, based on PE: false
                                                                    Similarity
                                                                    • API ID: Create
                                                                    • String ID:
                                                                    • API String ID: 2289755597-0
                                                                    • Opcode ID: 79acf8b006b51a09e6e7b473a827356940dfa1132e497e3c64ef7c46ef07ed50
                                                                    • Instruction ID: c4ec65305193fa0d0bfcf7f556898b9408314ffd56116e52034ea4e0f3a40b31
                                                                    • Opcode Fuzzy Hash: 79acf8b006b51a09e6e7b473a827356940dfa1132e497e3c64ef7c46ef07ed50
                                                                    • Instruction Fuzzy Hash: FB41F2B1C0061CCBEB25DFA9C884B8EBBB5FF49308F608059D509AB251DBB55985CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02F9A6CD, Relevance: 1.6, APIs: 1, Instructions: 67libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02F9A149,00000800,00000000,00000000), ref: 02F9A75A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.675658353.0000000002F90000.00000040.00000001.sdmp, Offset: 02F90000, based on PE: false
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 1029625771-0
                                                                    • Opcode ID: c656eee5c2d966516f320318f2e28f72700f89d61552092733730faae6a62f5a
                                                                    • Instruction ID: 81cda3033fde34553703a225ed38274acbf2b45335fe3f2b9f3aed6a2f9e3c8e
                                                                    • Opcode Fuzzy Hash: c656eee5c2d966516f320318f2e28f72700f89d61552092733730faae6a62f5a
                                                                    • Instruction Fuzzy Hash: CE2168B5D002099FDB10CFAAD844BDEBBF4EB49364F10812EE425A7600C779A545CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 07B17068, Relevance: 1.6, APIs: 1, Instructions: 66injectionCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07B170FD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MemoryProcessWrite
                                                                    • String ID:
                                                                    • API String ID: 3559483778-0
                                                                    • Opcode ID: 4040dd2b8b18bd79fa83b3be14d16e5d59d0fdee74ffeb9d7228310980dcd167
                                                                    • Instruction ID: 6e39e9ac9666c8a8659d3ac8784ce1b81594444da5f00aa80dd2b91dae3ce2fb
                                                                    • Opcode Fuzzy Hash: 4040dd2b8b18bd79fa83b3be14d16e5d59d0fdee74ffeb9d7228310980dcd167
                                                                    • Instruction Fuzzy Hash: 0A2100B5900359DFDB10CFA9C885BDEBBF4FB48314F10842AE918E7240D778AA54CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 07B17070, Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07B170FD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MemoryProcessWrite
                                                                    • String ID:
                                                                    • API String ID: 3559483778-0
                                                                    • Opcode ID: 85f6e6a00a2979d19aed434b83a636ebd874757cb8af5632cc7d18f16dce59f9
                                                                    • Instruction ID: da5f93dd04e37358da559e83a583dd3a2a5552f2a26b8c5091a6d1e4caa14784
                                                                    • Opcode Fuzzy Hash: 85f6e6a00a2979d19aed434b83a636ebd874757cb8af5632cc7d18f16dce59f9
                                                                    • Instruction Fuzzy Hash: 5021E4B19003599FDB10CF9AD885BDEBBF4FB48314F50842AE918E7240D778A954CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02F9C791, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02F9C81F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.675658353.0000000002F90000.00000040.00000001.sdmp, Offset: 02F90000, based on PE: false
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: d2a442768380b0dc83de665677e638f8836d2aa8e1680296fd793f22e39f6802
                                                                    • Instruction ID: a65493c46f7332f29fb27dc440cdaae16843ba10744fbf4f4cd41a8f4e45a626
                                                                    • Opcode Fuzzy Hash: d2a442768380b0dc83de665677e638f8836d2aa8e1680296fd793f22e39f6802
                                                                    • Instruction Fuzzy Hash: 9421E3B5D00209AFDF10CFA9D884BDEBBF8EB48364F14801AE914A3310D378A944CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02F9C798, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02F9C81F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.675658353.0000000002F90000.00000040.00000001.sdmp, Offset: 02F90000, based on PE: false
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: b996c723f5094c76a66a7c0acdbf499e57fa0dd362ff3c695c05f65170022cdd
                                                                    • Instruction ID: 086a6eaa43b0b3c4ce7e552a1b909eb53cb3b23799f86ef96e73fba250110f16
                                                                    • Opcode Fuzzy Hash: b996c723f5094c76a66a7c0acdbf499e57fa0dd362ff3c695c05f65170022cdd
                                                                    • Instruction Fuzzy Hash: E721C4B5D00249AFDB10CF99D984BDEBBF8FB48364F14841AE914A3310D378A954CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 07B16E30, Relevance: 1.6, APIs: 1, Instructions: 60threadinjectionCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetThreadContext.KERNELBASE(?,00000000), ref: 07B16EAF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ContextThread
                                                                    • String ID:
                                                                    • API String ID: 1591575202-0
                                                                    • Opcode ID: 72f393d0b525a5edf4c7cfe860c5c253c1e04001b279a4efe3c8f08c1b892cfe
                                                                    • Instruction ID: d97a57778282de26921020d898298ddb99a4f90796ad4016279c796c79ad7a23
                                                                    • Opcode Fuzzy Hash: 72f393d0b525a5edf4c7cfe860c5c253c1e04001b279a4efe3c8f08c1b892cfe
                                                                    • Instruction Fuzzy Hash: 262124B2D0061A9FDB00CF9AC5857EEFBF4FB08224F44822AD418B3340D778A9558FA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 07B16EF8, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07B16F77
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MemoryProcessRead
                                                                    • String ID:
                                                                    • API String ID: 1726664587-0
                                                                    • Opcode ID: d9c2952a0c5fa9f35cc1671009d82bc4684fd1ce426f4215c301f0c6c16416e9
                                                                    • Instruction ID: 16144247a083bb6c25bbeabbd8f029c6c7db68d13a1b561fab17b0cf35c28409
                                                                    • Opcode Fuzzy Hash: d9c2952a0c5fa9f35cc1671009d82bc4684fd1ce426f4215c301f0c6c16416e9
                                                                    • Instruction Fuzzy Hash: 4A21E2B59002599FDB10CF9AD884BDEBBF4FB48324F50842AE918A3250D778A554CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 07B16EF2, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07B16F77
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MemoryProcessRead
                                                                    • String ID:
                                                                    • API String ID: 1726664587-0
                                                                    • Opcode ID: de84cc85695b48e18205ce3cb3424d0f5483876aec54e6c8471e5766b54e7ba8
                                                                    • Instruction ID: aaeca51a8e96c6e05b8c1c5f72243ee35504a2535ab29b08721e92fda754b726
                                                                    • Opcode Fuzzy Hash: de84cc85695b48e18205ce3cb3424d0f5483876aec54e6c8471e5766b54e7ba8
                                                                    • Instruction Fuzzy Hash: D72102B6900219DFDB10CF9AD884BDEBBF4FF48314F10842AE918A3250D338A554CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 07B16E38, Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetThreadContext.KERNELBASE(?,00000000), ref: 07B16EAF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ContextThread
                                                                    • String ID:
                                                                    • API String ID: 1591575202-0
                                                                    • Opcode ID: 4f952773d00e9bb9e6d3a0d27acab0972bbe60c09e3b0970ed269a26366d45a5
                                                                    • Instruction ID: a9e1cce984e5db748def10a8d1b33973a644f0ad243e7ea2a045a19f58dd64e6
                                                                    • Opcode Fuzzy Hash: 4f952773d00e9bb9e6d3a0d27acab0972bbe60c09e3b0970ed269a26366d45a5
                                                                    • Instruction Fuzzy Hash: 0C2117B1D0021A9FDB10CF9AC8857EEFBF4FB49224F54816AD418A3340D778A954CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02F99260, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02F9A149,00000800,00000000,00000000), ref: 02F9A75A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.675658353.0000000002F90000.00000040.00000001.sdmp, Offset: 02F90000, based on PE: false
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 1029625771-0
                                                                    • Opcode ID: 0c8f4314eec1873ac747b23cfa883901dc16c611cc115ac456575ee78e128057
                                                                    • Instruction ID: 146ce72f0e5cf123f03d33a99493d0b7c9192245f4fde6b12dde99f42ffe08f2
                                                                    • Opcode Fuzzy Hash: 0c8f4314eec1873ac747b23cfa883901dc16c611cc115ac456575ee78e128057
                                                                    • Instruction Fuzzy Hash: F91114B6D002099FDB10CF9AD484BDEFBF4EB88364F11842AE515A7200C779A545CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 07B16FC8, Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07B17033
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID:
                                                                    • API String ID: 4275171209-0
                                                                    • Opcode ID: 255d704796480174b027fbf18edab4edf47a751ecdb8651070671a5b7cad7531
                                                                    • Instruction ID: 6b6a2940b8ac79f392b0b3625d45903d4445696a06dfbd33e050a9fc8ece36ac
                                                                    • Opcode Fuzzy Hash: 255d704796480174b027fbf18edab4edf47a751ecdb8651070671a5b7cad7531
                                                                    • Instruction Fuzzy Hash: A311F5B59002499FDB10CF9AD884BDFBFF4FB49324F108419E529A7210C779A554CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 07B16FC2, Relevance: 1.5, APIs: 1, Instructions: 47memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07B17033
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID:
                                                                    • API String ID: 4275171209-0
                                                                    • Opcode ID: d1674ffaea936ae86c4228e14fc2ae696e3f498f41731c34d0d87fe336181bb6
                                                                    • Instruction ID: 924edd82f3334fc7713fac7d3b7a78e5833f61dc38263acec95455d3e32c6f9c
                                                                    • Opcode Fuzzy Hash: d1674ffaea936ae86c4228e14fc2ae696e3f498f41731c34d0d87fe336181bb6
                                                                    • Instruction Fuzzy Hash: BD1125B6800249DFDB10CF99C984BDEBBF4FF48324F108419E528A7210D739A554CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02F9A068, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 02F9A0CE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.675658353.0000000002F90000.00000040.00000001.sdmp, Offset: 02F90000, based on PE: false
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: 2e95afcbfa125c4dfd547e12f0decf774f9391f62166b3eadf0cdd6d2ed39b97
                                                                    • Instruction ID: 23f1caa00963fee8e9495abe17c1a1ed546a2c8d0feb26ba826822d503e96f0b
                                                                    • Opcode Fuzzy Hash: 2e95afcbfa125c4dfd547e12f0decf774f9391f62166b3eadf0cdd6d2ed39b97
                                                                    • Instruction Fuzzy Hash: CA1110B6C002498FDB20CF9AC444BDEFBF4EB88228F10842AD529A7210C379A545CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 07B17220, Relevance: 1.5, APIs: 1, Instructions: 45threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ResumeThread
                                                                    • String ID:
                                                                    • API String ID: 947044025-0
                                                                    • Opcode ID: 8a448242d03677eb698b20b2c52e38e77d075b7b2e129ec6042884d3d872785c
                                                                    • Instruction ID: f644ec3f99a356bad96bc8594967ccea33e50424257273b9d247cdeea2fd4119
                                                                    • Opcode Fuzzy Hash: 8a448242d03677eb698b20b2c52e38e77d075b7b2e129ec6042884d3d872785c
                                                                    • Instruction Fuzzy Hash: 401103B59002598FDB10CF9AD484BDEBBF4EB49324F24845AD528A7700C779A945CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 07B17540, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PostMessageW.USER32(?,?,?,?), ref: 07B175A5
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MessagePost
                                                                    • String ID:
                                                                    • API String ID: 410705778-0
                                                                    • Opcode ID: a34f34683e7b0a8c54cc91f6611c622b42f921c25821c9fcba96c0a4dba7ffaa
                                                                    • Instruction ID: cac6491db5f92e8581319fe73f90b4774dec09eca919a4fa945aa0bd3f6a14b6
                                                                    • Opcode Fuzzy Hash: a34f34683e7b0a8c54cc91f6611c622b42f921c25821c9fcba96c0a4dba7ffaa
                                                                    • Instruction Fuzzy Hash: 811115B68002499FDB10CF99D984BDEBBF8EB48324F10881AE454A7600C378A644CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 07B17548, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PostMessageW.USER32(?,?,?,?), ref: 07B175A5
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MessagePost
                                                                    • String ID:
                                                                    • API String ID: 410705778-0
                                                                    • Opcode ID: 7cc42b9eda80095ba5e7def9a981f2b147451f63d62440c7038f5e328896815b
                                                                    • Instruction ID: 1a90999709ed4acb3b1349745858cedba89bf868f727b1532297952fdf9ff71d
                                                                    • Opcode Fuzzy Hash: 7cc42b9eda80095ba5e7def9a981f2b147451f63d62440c7038f5e328896815b
                                                                    • Instruction Fuzzy Hash: 8A11E5B58003499FDB10CF99D884BDEBBF8EB49324F10845AE515A7600C778A544CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 07B17228, Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ResumeThread
                                                                    • String ID:
                                                                    • API String ID: 947044025-0
                                                                    • Opcode ID: 7cee718e6a83f9fd63d6c804ad213e1fbca01e6b9a896d9d00d1c3b9c6682397
                                                                    • Instruction ID: 545d78c5041dd4f3fa02adaad8ded68e8acf22f251462a3cee3ca67f1ec1f6bc
                                                                    • Opcode Fuzzy Hash: 7cee718e6a83f9fd63d6c804ad213e1fbca01e6b9a896d9d00d1c3b9c6682397
                                                                    • Instruction Fuzzy Hash: 541123B18002598FDB10CF9AD484BDEFBF8EB49324F20845AD528A3300C779A945CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02EAD4C4, Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.675494629.0000000002EAD000.00000040.00000001.sdmp, Offset: 02EAD000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3e75798fafdc12452b4822f43c05239444682894b10ad38f773a56566ec61f41
                                                                    • Instruction ID: a02c3fd08d9af67e018f86d1a1b20c5548c0722f88ad7c4b6ade85fd0e49c6d3
                                                                    • Opcode Fuzzy Hash: 3e75798fafdc12452b4822f43c05239444682894b10ad38f773a56566ec61f41
                                                                    • Instruction Fuzzy Hash: 9721F1B1544240EFDB05DF14D9D0B66BB65FB88328F24C5A9E9054F606C336E856CAA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02EBD01C, Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.675511729.0000000002EBD000.00000040.00000001.sdmp, Offset: 02EBD000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8fabedab2899179ae9bd0835ad973b838455e9ed7670788392b35891199198c5
                                                                    • Instruction ID: 5c73ee9e8149b7b55e17d65ef03e8ea439f1146f39ddda3e7a48b80c07f7abee
                                                                    • Opcode Fuzzy Hash: 8fabedab2899179ae9bd0835ad973b838455e9ed7670788392b35891199198c5
                                                                    • Instruction Fuzzy Hash: 26212571648240EFDB16CF14D9C0B97BB66FF88318F24C5A9D9094B246C33AD807CA61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02EBD1D4, Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.675511729.0000000002EBD000.00000040.00000001.sdmp, Offset: 02EBD000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 91f1d5215ee4f433e5c0aae6ec49127aee67413a1483f99dac1f4f3a775523f4
                                                                    • Instruction ID: d4789807225917fdcff61311dcc8e96611d18e970ddda23499411067c4f719aa
                                                                    • Opcode Fuzzy Hash: 91f1d5215ee4f433e5c0aae6ec49127aee67413a1483f99dac1f4f3a775523f4
                                                                    • Instruction Fuzzy Hash: 7A21F571A44284EFDB06CF50D9C0BA6BB65FF88318F24C5A9D90D4B246C73AD846CB61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02EBD005, Relevance: .1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.675511729.0000000002EBD000.00000040.00000001.sdmp, Offset: 02EBD000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c90b112c5fda5e9960ec10f19cd1ba6c064f487318ace6db744af0defcdfcb0b
                                                                    • Instruction ID: 968dfdd193ee48e082ee34ad6ab314b0457d9dfa4780c2ffe4f2f38b7b19f096
                                                                    • Opcode Fuzzy Hash: c90b112c5fda5e9960ec10f19cd1ba6c064f487318ace6db744af0defcdfcb0b
                                                                    • Instruction Fuzzy Hash: 682192755493C08FCB13CF20D994756BF71EF46218F28C5DAD8498B657C33A980ACB62
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02EAD4BF, Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.675494629.0000000002EAD000.00000040.00000001.sdmp, Offset: 02EAD000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 01dc1dd5c076053dd37dabc6258269e540eab889bad8b17572ae422b602e1322
                                                                    • Instruction ID: c6da083b40893b1591c7afdf7471c169e95635792d9ef99448a2a42fdb4019af
                                                                    • Opcode Fuzzy Hash: 01dc1dd5c076053dd37dabc6258269e540eab889bad8b17572ae422b602e1322
                                                                    • Instruction Fuzzy Hash: 1C11B176844280DFCB11CF10D9D4B16BF71FB84328F28C6A9D8454F616C33AE456CBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02EBD1CF, Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.675511729.0000000002EBD000.00000040.00000001.sdmp, Offset: 02EBD000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0e84a83932315483301ab47877d77adf2830503121ad5359d24d077b9f27d570
                                                                    • Instruction ID: 37bf7edc04f4b9c4363b86e70196d69eb6411762370995d940f97ecad6515a72
                                                                    • Opcode Fuzzy Hash: 0e84a83932315483301ab47877d77adf2830503121ad5359d24d077b9f27d570
                                                                    • Instruction Fuzzy Hash: DD118E75944280DFCB12CF50D9C4B56BB71FF84228F24C6A9D8494B656C33AD45ACB61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02EAD745, Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.675494629.0000000002EAD000.00000040.00000001.sdmp, Offset: 02EAD000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7fc68d83593f18da83b2d03e0dd5b391b4fcaa9da5ab69ba60f72ed619734e10
                                                                    • Instruction ID: 7171463320516018ff6d85acc2f2aa5f4ac0bfe621f78c3777e34f75f0fe615f
                                                                    • Opcode Fuzzy Hash: 7fc68d83593f18da83b2d03e0dd5b391b4fcaa9da5ab69ba60f72ed619734e10
                                                                    • Instruction Fuzzy Hash: FB012B71448340AAF7144E25CCD4BA6FB98DF4627CF08C55AFE045F646D778B444CAB1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02EAD744, Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.675494629.0000000002EAD000.00000040.00000001.sdmp, Offset: 02EAD000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 530f65e31a8de184264799b23425ae0fe97a11d5e059aa4a04c927e4d7a8f826
                                                                    • Instruction ID: a4e2440af90cb9c8c95fb5135cefc65001ff33d9fb2291af7cec9a5ecec5874a
                                                                    • Opcode Fuzzy Hash: 530f65e31a8de184264799b23425ae0fe97a11d5e059aa4a04c927e4d7a8f826
                                                                    • Instruction Fuzzy Hash: 40F09671444384AEE7148E16CCC4B66FF98EB82778F18C45AFD085F68AD779A844CAB1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 07B148E0, Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Ej?L
                                                                    • API String ID: 0-4017757794
                                                                    • Opcode ID: 8a5260a040b1573cd80a2a8c81e6fed2693ab7ed03efffab16c2313f00e36485
                                                                    • Instruction ID: 72bc5988b3da9f80b1e8725cecbcdfb25fd5e33d962ef4e704f88d6da0089ac1
                                                                    • Opcode Fuzzy Hash: 8a5260a040b1573cd80a2a8c81e6fed2693ab7ed03efffab16c2313f00e36485
                                                                    • Instruction Fuzzy Hash: 548139B4E1424ACF9B04CFE9D5419AEFBF2EF89340F50946AD419B7314E7389A028F95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 07B148D0, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Ej?L
                                                                    • API String ID: 0-4017757794
                                                                    • Opcode ID: fe3a61d2b8ed090e44fbe756659637243f1a9137745cf3953eb360e70485f57b
                                                                    • Instruction ID: 9fa977f6a8e7b5fd8e248c55ebe0684f25403def86907f0c9b1a44329a6c6fba
                                                                    • Opcode Fuzzy Hash: fe3a61d2b8ed090e44fbe756659637243f1a9137745cf3953eb360e70485f57b
                                                                    • Instruction Fuzzy Hash: 277138B4E1424ACFDB04CFE9D5419AEBBF2EB89340F50942AD519B7314E7389A028F95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 07B163D0, Relevance: 1.4, Strings: 1, Instructions: 187COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: VKO*
                                                                    • API String ID: 0-532117343
                                                                    • Opcode ID: 4330634a6ae5ef60436e69698b0035f29afbbf8c2ba6a4b352cdd938e7b82c1e
                                                                    • Instruction ID: f4a209f5fece8a0c7a49f5798dab3417948be35e366a7d7ae399bf9277ba3642
                                                                    • Opcode Fuzzy Hash: 4330634a6ae5ef60436e69698b0035f29afbbf8c2ba6a4b352cdd938e7b82c1e
                                                                    • Instruction Fuzzy Hash: 74810BB4E14129CBDB14DF69C9819ADFBF2FB89204F64C1A9D808A7215DB349E42CF61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 07B163CA, Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: VKO*
                                                                    • API String ID: 0-532117343
                                                                    • Opcode ID: 7ec457f6d5681cfe7c5ea61768f6cb331321943320e9b4ca3b5c4fc10efa89d5
                                                                    • Instruction ID: e65fb87cebdee32389f59e2927df2b2d2f5a849e83a08507cfe67e252aebbae1
                                                                    • Opcode Fuzzy Hash: 7ec457f6d5681cfe7c5ea61768f6cb331321943320e9b4ca3b5c4fc10efa89d5
                                                                    • Instruction Fuzzy Hash: E4810AB4E141298BDB14CF65C9819ADFBF2FF89204F64C1A9D804A7215DB349E42CF61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02F9F058, Relevance: .3, Instructions: 315COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.675658353.0000000002F90000.00000040.00000001.sdmp, Offset: 02F90000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 28b0c52a36db89a68924d278241983ba7db331158005a3150fd53fb27a5671b7
                                                                    • Instruction ID: bc45f7423b27d24a9e8fb7170ca053465daa475217c74c14eddba212cc8beff0
                                                                    • Opcode Fuzzy Hash: 28b0c52a36db89a68924d278241983ba7db331158005a3150fd53fb27a5671b7
                                                                    • Instruction Fuzzy Hash: 0412EBF14A174A8BD310CF65E59A168BFB1F7E1328B58620AE2631B6D1DFB81146CF4C
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02F9C6B4, Relevance: .3, Instructions: 265COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.675658353.0000000002F90000.00000040.00000001.sdmp, Offset: 02F90000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8c668810a6eede353319bd0733540cc8bcd853efbb359c1f1f33dc77c8a59227
                                                                    • Instruction ID: 5b651875f504067ca2857c07eca2a279b9a895eecf404f2fe14afcbead7b5b3e
                                                                    • Opcode Fuzzy Hash: 8c668810a6eede353319bd0733540cc8bcd853efbb359c1f1f33dc77c8a59227
                                                                    • Instruction Fuzzy Hash: E8A18C36E00219CFDF05DFB5C8445EEBBB2FF89340B15856AEA15AB221EB31A945CF40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02F9F04B, Relevance: .2, Instructions: 220COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.675658353.0000000002F90000.00000040.00000001.sdmp, Offset: 02F90000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7192252eeeee94090ea15081deb275f50bef9040d4030c59b9eed508440a6a9a
                                                                    • Instruction ID: 56bc7b97b05756dec2164326d5a5f7443f3387aa8a63a72e488f65cadcd1595f
                                                                    • Opcode Fuzzy Hash: 7192252eeeee94090ea15081deb275f50bef9040d4030c59b9eed508440a6a9a
                                                                    • Instruction Fuzzy Hash: D8C13EB146174A8AD310CF65E9961A9BFB1F7E5328F58630AF1632B6D0DFB81046CF48
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 07B11701, Relevance: .2, Instructions: 210COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d193cb80b2b8364528c13e3eb0a1daa708b0ccc0ccb726bb090410d71bbfd9a5
                                                                    • Instruction ID: ccf727420a2f730022e2e06756a9fe3300417eb0724f9da18e78a3c4a38a24e4
                                                                    • Opcode Fuzzy Hash: d193cb80b2b8364528c13e3eb0a1daa708b0ccc0ccb726bb090410d71bbfd9a5
                                                                    • Instruction Fuzzy Hash: 499148B4E15219CFDB14CFA9C980A9EBBF2BF89304F64C1AAD508A7315D7349A41CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 07B11748, Relevance: .2, Instructions: 201COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: be9e73118c2f655ccdc4e3fb23828125a0639cc8d7640611b20d37b56642d4f5
                                                                    • Instruction ID: 7cb53ebd3ed06ba0f78d0cbc5a611fd1dd14642159e63c64dafcc0f6e67508a2
                                                                    • Opcode Fuzzy Hash: be9e73118c2f655ccdc4e3fb23828125a0639cc8d7640611b20d37b56642d4f5
                                                                    • Instruction Fuzzy Hash: 659105B4E1521D8BDB14CFA9C980A9EFBB2FF89300F64C1AAD509AB315D7349A41CF51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 07B117FE, Relevance: .2, Instructions: 170COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9e9a53d23e30f82f11be7f5f01bc6bfc0582413c8bb6fb8060b6e51ceb933031
                                                                    • Instruction ID: 4af35e4238cf74a4ef604ad2dea6738b08d11649ee8b54129ce54525bea31d69
                                                                    • Opcode Fuzzy Hash: 9e9a53d23e30f82f11be7f5f01bc6bfc0582413c8bb6fb8060b6e51ceb933031
                                                                    • Instruction Fuzzy Hash: 387116B4E2521DCFDB14CFA9C980A9EFBB2BF89200F6481A9D505A7315D7349E41CF51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 07B110D8, Relevance: .2, Instructions: 159COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3c108e1f1752c0410559d9c69844d52f915282b51fc49e37306c7d85d791eef2
                                                                    • Instruction ID: 78507cb90c3abda88f8f7e10988b582b4bae4f213063c4b4330c59a591014445
                                                                    • Opcode Fuzzy Hash: 3c108e1f1752c0410559d9c69844d52f915282b51fc49e37306c7d85d791eef2
                                                                    • Instruction Fuzzy Hash: FB611BB4E1411DDBDB14CFAAD980A9EFBF2FB89200F64C5AAD508A7305D7349A41CF61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 07B117EB, Relevance: .2, Instructions: 156COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a1861cdb6b4743c96f6f40780a0ac61d68c253444d190b41dbcb9322d0a625aa
                                                                    • Instruction ID: daea15a8689a50cd5735aae18dfc89eaade299a64552d3c85b2b6158d4669679
                                                                    • Opcode Fuzzy Hash: a1861cdb6b4743c96f6f40780a0ac61d68c253444d190b41dbcb9322d0a625aa
                                                                    • Instruction Fuzzy Hash: A67115B4E2521DCFDB14CFA9C980A9EFBB2BF89200F6482A9D505AB315D7349E41CF51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 07B110C6, Relevance: .2, Instructions: 151COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c9ec7004b3c3a7860b244def9901e6cc6fdbbce9c7a608f744b2a58133fef58f
                                                                    • Instruction ID: 651c287a8d1e850233760da5de3362c31682fb50e905c942c3da9da12b451b20
                                                                    • Opcode Fuzzy Hash: c9ec7004b3c3a7860b244def9901e6cc6fdbbce9c7a608f744b2a58133fef58f
                                                                    • Instruction Fuzzy Hash: 1C611CB4E14119DBDB14CFAAC980A9EFBF2FF89200F64C5AAD508A7345D7349A41CF61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 07B10006, Relevance: .1, Instructions: 71COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: deac5938fd508aab1ec8bb9c5833f9df95ecfb2e04127832705c16a989a69bf5
                                                                    • Instruction ID: 593085ac68dad01e84096befe6c12e37c921379fcdc4a4198597a698a34f6c80
                                                                    • Opcode Fuzzy Hash: deac5938fd508aab1ec8bb9c5833f9df95ecfb2e04127832705c16a989a69bf5
                                                                    • Instruction Fuzzy Hash: 2F212FB1E097549FE749CF6BC85569ABBF3AFC9200F18C0B6C408AB265E7340546CF52
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 07B12A90, Relevance: .1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 42c53d6d8cbff5feeb4d9fd5edf78e25c91bc7e1f20de5ee371c817d8bad47a8
                                                                    • Instruction ID: 9645938fa971671b487d3ced5bf6209a2622742a438695bec3caea21e06b77fa
                                                                    • Opcode Fuzzy Hash: 42c53d6d8cbff5feeb4d9fd5edf78e25c91bc7e1f20de5ee371c817d8bad47a8
                                                                    • Instruction Fuzzy Hash: 151129B1E116199BEB08CFAAD9416DEFBF7BFC9210F14C06AD508A7314EB305A018B91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 07B12A82, Relevance: .1, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.686290571.0000000007B10000.00000040.00000001.sdmp, Offset: 07B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 95b356eea5114f59f7923470167c2d129acd04f0fefa0633f2930472d3f617a8
                                                                    • Instruction ID: e10bea025ff41e0b080e73b66bc2b4ff85708ad9a3feb2f8d0cf89b732dbe487
                                                                    • Opcode Fuzzy Hash: 95b356eea5114f59f7923470167c2d129acd04f0fefa0633f2930472d3f617a8
                                                                    • Instruction Fuzzy Hash: E6112EB1E116199BEB48CFAAD94169EFBF7BFC8210F14C06AD508B7354DB305A418B51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%