Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report G9xXUq625O

Overview

General Information

Sample Name:G9xXUq625O (renamed file extension from none to exe)
Analysis ID:432748
MD5:9a188a4b5ab76f5d53892f7bcd5dfbeb
SHA1:b61e66760f0959fbb3f66daa0840eb40121827c7
SHA256:12b582ab21f7f9cd0f7475461d4f3e12ea5b8ce8ea86010e062d6dc7b5d83473
Tags:AgentTeslaexetrojan
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • G9xXUq625O.exe (PID: 6320 cmdline: 'C:\Users\user\Desktop\G9xXUq625O.exe' MD5: 9A188A4B5AB76F5D53892F7BCD5DFBEB)
    • G9xXUq625O.exe (PID: 7144 cmdline: {path} MD5: 9A188A4B5AB76F5D53892F7BCD5DFBEB)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "macslog@lontor.cf7213575aceACE@#$lontor.cfmacs@lontor.cf"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000000.425863712.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000009.00000000.425863712.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000000.00000002.431520750.000000000426A000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.431520750.000000000426A000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000000.00000002.429711902.0000000003263000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.G9xXUq625O.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              9.2.G9xXUq625O.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                9.0.G9xXUq625O.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  9.0.G9xXUq625O.exe.400000.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.G9xXUq625O.exe.432b7f8.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000009.00000002.601783516.0000000003141000.00000004.00000001.sdmpMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "macslog@lontor.cf7213575aceACE@#$lontor.cfmacs@lontor.cf"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: G9xXUq625O.exeVirustotal: Detection: 31%Perma Link
                      Source: G9xXUq625O.exeReversingLabs: Detection: 39%
                      Source: 9.0.G9xXUq625O.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 0.2.G9xXUq625O.exe.e50000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
                      Source: 9.2.G9xXUq625O.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeUnpacked PE file: 0.2.G9xXUq625O.exe.e50000.0.unpack
                      Source: G9xXUq625O.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: G9xXUq625O.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_07B24678
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_07B24678
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_07B241E8
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 4x nop then push dword ptr [ebp-20h]0_2_07B24358
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_07B24358
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 4x nop then push dword ptr [ebp-20h]0_2_07B2434D
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_07B2434D
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_07B24619
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_07B24619
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_07B2466C
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_07B2466C
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 4x nop then xor edx, edx0_2_07B245B0
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 4x nop then xor edx, edx0_2_07B245A4
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_07B241DC
                      Source: G9xXUq625O.exe, 00000009.00000002.601783516.0000000003141000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: G9xXUq625O.exe, 00000009.00000002.601783516.0000000003141000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: G9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: G9xXUq625O.exe, 00000000.00000003.335915924.00000000064DE000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: G9xXUq625O.exe, 00000000.00000003.336235565.00000000064FD000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: G9xXUq625O.exe, 00000000.00000003.336235565.00000000064FD000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coma
                      Source: G9xXUq625O.exe, 00000000.00000003.336235565.00000000064FD000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comac
                      Source: G9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: G9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: G9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: G9xXUq625O.exe, 00000000.00000003.341188332.00000000064FB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: G9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: G9xXUq625O.exe, 00000000.00000003.342278557.00000000064FB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                      Source: G9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: G9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: G9xXUq625O.exe, 00000000.00000003.342278557.00000000064FB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlX
                      Source: G9xXUq625O.exe, 00000000.00000003.341200323.00000000064DB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers6
                      Source: G9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: G9xXUq625O.exe, 00000000.00000003.341477817.00000000064DB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers:
                      Source: G9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: G9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: G9xXUq625O.exe, 00000000.00000003.342474385.00000000064DB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersK
                      Source: G9xXUq625O.exe, 00000000.00000003.341742819.00000000064DB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersQ
                      Source: G9xXUq625O.exe, 00000000.00000003.342518355.00000000064DB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersn
                      Source: G9xXUq625O.exe, 00000000.00000003.342266364.00000000064DB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersr
                      Source: G9xXUq625O.exe, 00000000.00000003.341742819.00000000064DB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
                      Source: G9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: G9xXUq625O.exe, 00000000.00000003.335646579.00000000064F6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.cj
                      Source: G9xXUq625O.exe, 00000000.00000003.335400304.00000000064DC000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: G9xXUq625O.exe, 00000000.00000003.335290383.00000000064FE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn%
                      Source: G9xXUq625O.exe, 00000000.00000003.334737506.00000000064FC000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: G9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: G9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: G9xXUq625O.exe, 00000000.00000003.335618631.00000000064F6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/o
                      Source: G9xXUq625O.exe, 00000000.00000003.335618631.00000000064F6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnC
                      Source: G9xXUq625O.exe, 00000000.00000003.335349159.00000000064F6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnG
                      Source: G9xXUq625O.exe, 00000000.00000003.335104036.00000000064FE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnN
                      Source: G9xXUq625O.exe, 00000000.00000003.335481983.00000000064F8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnO
                      Source: G9xXUq625O.exe, 00000000.00000003.335364432.00000000064FE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cngsP/
                      Source: G9xXUq625O.exe, 00000000.00000003.345811790.00000000064FC000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/2
                      Source: G9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: G9xXUq625O.exe, 00000000.00000003.345811790.00000000064FC000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/T
                      Source: G9xXUq625O.exe, 00000000.00000003.346317691.00000000064FC000.00000004.00000001.sdmp, G9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: G9xXUq625O.exe, 00000000.00000003.334582934.00000000064FC000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: G9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: G9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: G9xXUq625O.exe, 00000000.00000003.337743291.00000000064FB000.00000004.00000001.sdmp, G9xXUq625O.exe, 00000000.00000003.337720985.000000000650C000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: G9xXUq625O.exe, 00000000.00000003.338034016.000000000650C000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.comgr
                      Source: G9xXUq625O.exe, 00000000.00000003.334582934.00000000064FC000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: G9xXUq625O.exe, 00000000.00000003.334512856.00000000064FB000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krFd
                      Source: G9xXUq625O.exe, 00000000.00000003.334582934.00000000064FC000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krY
                      Source: G9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: G9xXUq625O.exe, 00000000.00000003.336417842.00000000064FD000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comslnt
                      Source: G9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: G9xXUq625O.exe, 00000000.00000003.342595548.00000000064FC000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                      Source: G9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: G9xXUq625O.exe, 00000000.00000003.342595548.00000000064FC000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deeg
                      Source: G9xXUq625O.exe, 00000000.00000003.341188332.00000000064FB000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deoM
                      Source: G9xXUq625O.exe, 00000000.00000003.341109149.00000000064FB000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deoi
                      Source: G9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: G9xXUq625O.exe, 00000000.00000003.336038601.00000000064FD000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.q
                      Source: G9xXUq625O.exe, 00000009.00000002.601783516.0000000003141000.00000004.00000001.sdmpString found in binary or memory: http://xUCQUz.com
                      Source: G9xXUq625O.exe, 00000009.00000002.601783516.0000000003141000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: G9xXUq625O.exe, 00000000.00000002.431520750.000000000426A000.00000004.00000001.sdmp, G9xXUq625O.exe, 00000009.00000000.425863712.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: G9xXUq625O.exe, 00000009.00000002.601783516.0000000003141000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 9.0.G9xXUq625O.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bC788BFD1u002d279Cu002d4938u002dAFC9u002d1DDB46B7D56Cu007d/u003774D2A61u002dB721u002d47D3u002dB82Fu002d601916BBAB74.csLarge array initialization: .cctor: array initializer size 11990
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_052500060_2_05250006
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_052500400_2_05250040
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B286E00_2_07B286E0
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B296100_2_07B29610
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B23A600_2_07B23A60
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B2BD280_2_07B2BD28
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B265080_2_07B26508
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B221450_2_07B22145
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B27CB80_2_07B27CB8
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B2DCA80_2_07B2DCA8
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B260900_2_07B26090
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B22C300_2_07B22C30
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B270600_2_07B27060
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B26FFE0_2_07B26FFE
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B2BB600_2_07B2BB60
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B2BB510_2_07B2BB51
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B2B6B90_2_07B2B6B9
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B2E6800_2_07B2E680
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B286D00_2_07B286D0
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B2B6C80_2_07B2B6C8
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B2CDB00_2_07B2CDB0
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B2CD9A0_2_07B2CD9A
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B295E10_2_07B295E1
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B2A5300_2_07B2A530
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B2A5200_2_07B2A520
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B2BD180_2_07B2BD18
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B2B9000_2_07B2B900
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B251600_2_07B25160
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B251500_2_07B25150
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B2E1580_2_07B2E158
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B27CA80_2_07B27CA8
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B2B8F00_2_07B2B8F0
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B264F80_2_07B264F8
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B2B0780_2_07B2B078
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B2705A0_2_07B2705A
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 9_2_015247A09_2_015247A0
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 9_2_015247109_2_01524710
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 9_2_015246B09_2_015246B0
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 9_2_0152D8219_2_0152D821
                      Source: G9xXUq625O.exeBinary or memory string: OriginalFilename vs G9xXUq625O.exe
                      Source: G9xXUq625O.exe, 00000000.00000002.443019153.0000000007E70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs G9xXUq625O.exe
                      Source: G9xXUq625O.exe, 00000000.00000000.330359127.0000000000F2E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAhdM.exe: vs G9xXUq625O.exe
                      Source: G9xXUq625O.exe, 00000000.00000002.429573999.0000000003255000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWMOMMdfVSdGrTsqbxpwwFtKlBIjsvLnX.exe4 vs G9xXUq625O.exe
                      Source: G9xXUq625O.exe, 00000000.00000002.444427406.0000000009890000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs G9xXUq625O.exe
                      Source: G9xXUq625O.exe, 00000000.00000002.429711902.0000000003263000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWindowsNetwork.dll> vs G9xXUq625O.exe
                      Source: G9xXUq625O.exe, 00000009.00000000.425531019.0000000000DBE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAhdM.exe: vs G9xXUq625O.exe
                      Source: G9xXUq625O.exe, 00000009.00000002.604637244.0000000005670000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs G9xXUq625O.exe
                      Source: G9xXUq625O.exe, 00000009.00000002.599032014.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWMOMMdfVSdGrTsqbxpwwFtKlBIjsvLnX.exe4 vs G9xXUq625O.exe
                      Source: G9xXUq625O.exeBinary or memory string: OriginalFilenameAhdM.exe: vs G9xXUq625O.exe
                      Source: G9xXUq625O.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: 9.0.G9xXUq625O.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 9.0.G9xXUq625O.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.adwa.evad.winEXE@3/2@0/0
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\G9xXUq625O.exe.logJump to behavior
                      Source: G9xXUq625O.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: G9xXUq625O.exeVirustotal: Detection: 31%
                      Source: G9xXUq625O.exeReversingLabs: Detection: 39%
                      Source: unknownProcess created: C:\Users\user\Desktop\G9xXUq625O.exe 'C:\Users\user\Desktop\G9xXUq625O.exe'
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess created: C:\Users\user\Desktop\G9xXUq625O.exe {path}
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess created: C:\Users\user\Desktop\G9xXUq625O.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: G9xXUq625O.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: G9xXUq625O.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeUnpacked PE file: 0.2.G9xXUq625O.exe.e50000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeUnpacked PE file: 0.2.G9xXUq625O.exe.e50000.0.unpack
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_00E54290 push ds; ret 0_2_00E54291
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_052505C2 push edi; retf 0_2_052505C3
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_05254F7D push dword ptr [edx+ebp*2-75h]; iretd 0_2_05254F87
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B2CD86 pushfd ; retf 0_2_07B2CD99
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 0_2_07B27CA8 push eax; ret 0_2_07B27CDD
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeCode function: 9_2_00CE4290 push ds; ret 9_2_00CE4291
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.02711438354
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000000.00000002.429711902.0000000003263000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: G9xXUq625O.exe PID: 6320, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: G9xXUq625O.exe, 00000000.00000002.429711902.0000000003263000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: G9xXUq625O.exe, 00000000.00000002.429711902.0000000003263000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeWindow / User API: threadDelayed 1861Jump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeWindow / User API: threadDelayed 7983Jump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exe TID: 6432Thread sleep time: -58000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exe TID: 6400Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exe TID: 7000Thread sleep count: 31 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exe TID: 7000Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exe TID: 7004Thread sleep count: 1861 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exe TID: 7004Thread sleep count: 7983 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: G9xXUq625O.exe, 00000000.00000002.429711902.0000000003263000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                      Source: G9xXUq625O.exe, 00000000.00000002.429711902.0000000003263000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: G9xXUq625O.exe, 00000000.00000002.429711902.0000000003263000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: G9xXUq625O.exe, 00000000.00000002.429711902.0000000003263000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: G9xXUq625O.exe, 00000000.00000002.429711902.0000000003263000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: G9xXUq625O.exe, 00000000.00000002.429711902.0000000003263000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: G9xXUq625O.exe, 00000000.00000002.429711902.0000000003263000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: G9xXUq625O.exe, 00000000.00000002.429711902.0000000003263000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: G9xXUq625O.exe, 00000000.00000002.429711902.0000000003263000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeMemory written: C:\Users\user\Desktop\G9xXUq625O.exe base: 400000 value starts with: 4D5AJump to behavior
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeProcess created: C:\Users\user\Desktop\G9xXUq625O.exe {path}Jump to behavior
                      Source: G9xXUq625O.exe, 00000009.00000002.601552565.0000000001BD0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: G9xXUq625O.exe, 00000009.00000002.601552565.0000000001BD0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: G9xXUq625O.exe, 00000009.00000002.601552565.0000000001BD0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
                      Source: G9xXUq625O.exe, 00000009.00000002.601552565.0000000001BD0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Users\user\Desktop\G9xXUq625O.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Users\user\Desktop\G9xXUq625O.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\G9xXUq625O.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000009.00000000.425863712.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.431520750.000000000426A000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.599032014.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 9.2.G9xXUq625O.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.G9xXUq625O.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.G9xXUq625O.exe.432b7f8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.G9xXUq625O.exe.432b7f8.3.raw.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000009.00000000.425863712.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.431520750.000000000426A000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.601783516.0000000003141000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.599032014.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: G9xXUq625O.exe PID: 7144, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: G9xXUq625O.exe PID: 6320, type: MEMORY
                      Source: Yara matchFile source: 9.2.G9xXUq625O.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.G9xXUq625O.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.G9xXUq625O.exe.432b7f8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.G9xXUq625O.exe.432b7f8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000009.00000002.601783516.0000000003141000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: G9xXUq625O.exe PID: 7144, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000009.00000000.425863712.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.431520750.000000000426A000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.599032014.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 9.2.G9xXUq625O.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.G9xXUq625O.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.G9xXUq625O.exe.432b7f8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.G9xXUq625O.exe.432b7f8.3.raw.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000009.00000000.425863712.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.431520750.000000000426A000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.601783516.0000000003141000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.599032014.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: G9xXUq625O.exe PID: 7144, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: G9xXUq625O.exe PID: 6320, type: MEMORY
                      Source: Yara matchFile source: 9.2.G9xXUq625O.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.G9xXUq625O.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.G9xXUq625O.exe.432b7f8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.G9xXUq625O.exe.432b7f8.3.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsFile and Directory Permissions Modification1LSASS MemorySecurity Software Discovery211Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion131NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection112LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing22Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      G9xXUq625O.exe32%VirustotalBrowse
                      G9xXUq625O.exe39%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      9.0.G9xXUq625O.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File
                      0.2.G9xXUq625O.exe.e50000.0.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
                      9.2.G9xXUq625O.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.founder.com.cn/cnO0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cnN0%Avira URL Cloudsafe
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.sandoll.co.krFd0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.founder.com.cn/cnG0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cnC0%URL Reputationsafe
                      http://www.founder.com.cn/cnC0%URL Reputationsafe
                      http://www.founder.com.cn/cnC0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.sandoll.co.krY0%Avira URL Cloudsafe
                      http://www.urwpp.deoi0%Avira URL Cloudsafe
                      http://www.founder.cj0%Avira URL Cloudsafe
                      http://xUCQUz.com0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.carterandcone.comac0%Avira URL Cloudsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.founder.com.cn/cn/o0%Avira URL Cloudsafe
                      http://www.carterandcone.coma0%URL Reputationsafe
                      http://www.carterandcone.coma0%URL Reputationsafe
                      http://www.carterandcone.coma0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.urwpp.deoM0%Avira URL Cloudsafe
                      http://www.tiro.comslnt0%URL Reputationsafe
                      http://www.tiro.comslnt0%URL Reputationsafe
                      http://www.tiro.comslnt0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.galapagosdesign.com/T0%Avira URL Cloudsafe
                      http://www.sakkal.comgr0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.urwpp.deeg0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.galapagosdesign.com/20%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.zhongyicts.com.cno.q0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cngsP/0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.founder.com.cn/cnOG9xXUq625O.exe, 00000000.00000003.335481983.00000000064F8000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.founder.com.cn/cnNG9xXUq625O.exe, 00000000.00000003.335104036.00000000064FE000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://127.0.0.1:HTTP/1.1G9xXUq625O.exe, 00000009.00000002.601783516.0000000003141000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.fontbureau.com/designersGG9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers/?G9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersKG9xXUq625O.exe, 00000000.00000003.342474385.00000000064DB000.00000004.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheG9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?G9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpfalse
                              		high
                              http://www.tiro.comG9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersG9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpfalse
                                		high
                                http://www.sandoll.co.krFdG9xXUq625O.exe, 00000000.00000003.334512856.00000000064FB000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.goodfont.co.krG9xXUq625O.exe, 00000000.00000003.334582934.00000000064FC000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comG9xXUq625O.exe, 00000000.00000003.336235565.00000000064FD000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersQG9xXUq625O.exe, 00000000.00000003.341742819.00000000064DB000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cnGG9xXUq625O.exe, 00000000.00000003.335349159.00000000064F6000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.founder.com.cn/cnCG9xXUq625O.exe, 00000000.00000003.335618631.00000000064F6000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comG9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDG9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/cTheG9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmG9xXUq625O.exe, 00000000.00000003.346317691.00000000064FC000.00000004.00000001.sdmp, G9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comG9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sandoll.co.krYG9xXUq625O.exe, 00000000.00000003.334582934.00000000064FC000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.urwpp.deoiG9xXUq625O.exe, 00000000.00000003.341109149.00000000064FB000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.founder.cjG9xXUq625O.exe, 00000000.00000003.335646579.00000000064F6000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://xUCQUz.comG9xXUq625O.exe, 00000009.00000002.601783516.0000000003141000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleaseG9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://api.ipify.org%GETMozilla/5.0G9xXUq625O.exe, 00000009.00000002.601783516.0000000003141000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		low
                                  http://www.fonts.comG9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krG9xXUq625O.exe, 00000000.00000003.334582934.00000000064FC000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.comacG9xXUq625O.exe, 00000000.00000003.336235565.00000000064FD000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.urwpp.deDPleaseG9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deG9xXUq625O.exe, 00000000.00000003.342595548.00000000064FC000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnG9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sakkal.comG9xXUq625O.exe, 00000000.00000003.337743291.00000000064FB000.00000004.00000001.sdmp, G9xXUq625O.exe, 00000000.00000003.337720985.000000000650C000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipG9xXUq625O.exe, 00000000.00000002.431520750.000000000426A000.00000004.00000001.sdmp, G9xXUq625O.exe, 00000009.00000000.425863712.0000000000402000.00000040.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designersnG9xXUq625O.exe, 00000000.00000003.342518355.00000000064DB000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/oG9xXUq625O.exe, 00000000.00000003.335618631.00000000064F6000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.com/designerstG9xXUq625O.exe, 00000000.00000003.341742819.00000000064DB000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designersrG9xXUq625O.exe, 00000000.00000003.342266364.00000000064DB000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.carterandcone.comaG9xXUq625O.exe, 00000000.00000003.336235565.00000000064FD000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.apache.org/licenses/LICENSE-2.0G9xXUq625O.exe, 00000000.00000003.335915924.00000000064DE000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.comG9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpfalse
                                              		high
                                              http://DynDns.comDynDNSG9xXUq625O.exe, 00000009.00000002.601783516.0000000003141000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.urwpp.deoMG9xXUq625O.exe, 00000000.00000003.341188332.00000000064FB000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.tiro.comslntG9xXUq625O.exe, 00000000.00000003.336417842.00000000064FD000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haG9xXUq625O.exe, 00000009.00000002.601783516.0000000003141000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.galapagosdesign.com/TG9xXUq625O.exe, 00000000.00000003.345811790.00000000064FC000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/frere-jones.htmlXG9xXUq625O.exe, 00000000.00000003.342278557.00000000064FB000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.sakkal.comgrG9xXUq625O.exe, 00000000.00000003.338034016.000000000650C000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.carterandcone.comlG9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.urwpp.deegG9xXUq625O.exe, 00000000.00000003.342595548.00000000064FC000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.founder.com.cn/cn/G9xXUq625O.exe, 00000000.00000003.334737506.00000000064FC000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/cabarga.htmlNG9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.founder.com.cn/cnG9xXUq625O.exe, 00000000.00000003.335400304.00000000064DC000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/frere-jones.htmlG9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.galapagosdesign.com/2G9xXUq625O.exe, 00000000.00000003.345811790.00000000064FC000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers/cabarga.htmlG9xXUq625O.exe, 00000000.00000003.342278557.00000000064FB000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.jiyu-kobo.co.jp/G9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers8G9xXUq625O.exe, 00000000.00000002.440400052.00000000065C0000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.com/designers6G9xXUq625O.exe, 00000000.00000003.341200323.00000000064DB000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.zhongyicts.com.cno.qG9xXUq625O.exe, 00000000.00000003.336038601.00000000064FD000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers:G9xXUq625O.exe, 00000000.00000003.341477817.00000000064DB000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.com/designers/G9xXUq625O.exe, 00000000.00000003.341188332.00000000064FB000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.founder.com.cn/cngsP/G9xXUq625O.exe, 00000000.00000003.335364432.00000000064FE000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.founder.com.cn/cn%G9xXUq625O.exe, 00000000.00000003.335290383.00000000064FE000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown

                                                              Contacted IPs

                                                              No contacted IP infos

                                                              General Information

                                                              Joe Sandbox Version:32.0.0 Black Diamond
                                                              Analysis ID:432748
                                                              Start date:10.06.2021
                                                              Start time:18:08:15
                                                              Joe Sandbox Product:CloudBasic
                                                              Overall analysis duration:0h 7m 15s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Sample file name:G9xXUq625O (renamed file extension from none to exe)
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                              Number of analysed new started processes analysed:22
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • HDC enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Detection:MAL
                                                              Classification:mal100.troj.adwa.evad.winEXE@3/2@0/0
                                                              EGA Information:Failed
                                                              HDC Information:
                                                              • Successful, ratio: 2.4% (good quality ratio 1.7%)
                                                              • Quality average: 48.6%
                                                              • Quality standard deviation: 37.7%
                                                              HCA Information:
                                                              • Successful, ratio: 100%
                                                              • Number of executed functions: 83
                                                              • Number of non-executed functions: 25
                                                              Cookbook Comments:
                                                              • Adjust boot time
                                                              • Enable AMSI
                                                              Warnings:
                                                              Show All
                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              18:10:13API Interceptor420x Sleep call for process: G9xXUq625O.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              No context

                                                              Domains

                                                              No context

                                                              ASN

                                                              No context

                                                              JA3 Fingerprints

                                                              No context

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\G9xXUq625O.exe.log
                                                              Process:C:\Users\user\Desktop\G9xXUq625O.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1216
                                                              Entropy (8bit):5.355304211458859
                                                              Encrypted:false
                                                              SSDEEP:24:ML9E4Ks29E4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MxHKX9HKx1qHiYHKhQnoPtHoxHhAHKzr
                                                              MD5:B666A4404B132B2BF6C04FBF848EB948
                                                              SHA1:D2EFB3D43F8B8806544D3A47F7DAEE8534981739
                                                              SHA-256:7870616D981C8C0DE9A54E7383CD035470DB20CBF75ACDF729C32889D4B6ED96
                                                              SHA-512:00E955EE9F14CEAE07E571A8EF2E103200CF421BAE83A66ED9F9E1AA6A9F449B653EDF1BFDB662A364D58ECF9B5FE4BB69D590DB2653F2F46A09F4D47719A862
                                                              Malicious:true
                                                              Reputation:moderate, very likely benign file
                                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                              C:\Windows\System32\drivers\etc\hosts
                                                              Process:C:\Users\user\Desktop\G9xXUq625O.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:modified
                                                              Size (bytes):11
                                                              Entropy (8bit):2.663532754804255
                                                              Encrypted:false
                                                              SSDEEP:3:iLE:iLE
                                                              MD5:B24D295C1F84ECBFB566103374FB91C5
                                                              SHA1:6A750D3F8B45C240637332071D34B403FA1FF55A
                                                              SHA-256:4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4
                                                              SHA-512:9BE279BFA70A859608B50EF5D30BF2345F334E5F433C410EA6A188DCAB395BFF50C95B165177E59A29261464871C11F903A9ECE55B2D900FE49A9F3C49EB88FA
                                                              Malicious:true
                                                              Reputation:high, very likely benign file
                                                              Preview: ..127.0.0.1

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Entropy (8bit):7.023268235807435
                                                              TrID:
                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                              • DOS Executable Generic (2002/1) 0.01%
                                                              File name:G9xXUq625O.exe
                                                              File size:900096
                                                              MD5:9a188a4b5ab76f5d53892f7bcd5dfbeb
                                                              SHA1:b61e66760f0959fbb3f66daa0840eb40121827c7
                                                              SHA256:12b582ab21f7f9cd0f7475461d4f3e12ea5b8ce8ea86010e062d6dc7b5d83473
                                                              SHA512:4c9590485c926d537e060d98c48bede5ce8cf40253ea2ea388e272a624811c7d418ba1c4e1c1f9794d25e5238a835175b705369a146e4c8ea38634680f35f82d
                                                              SSDEEP:12288:RiqwSwbcBgHdd8+FnVQ6nGDFiDRoqIkaYdhWXUT1c9OlVfi1UarYOB79TAMHf5vW:JgQU324WFiDRoqNa7ElVfEDVB78
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..`..............0.................. ........@.. ....................... ............@................................

                                                              File Icon

                                                              Icon Hash:00828e8e8686b000

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x4dc5ae
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                              Time Stamp:0x60C1986C [Thu Jun 10 04:43:24 2021 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:v4.0.30319
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                              Entrypoint Preview

                                                              Instruction
                                                              jmp dword ptr [00402000h]
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xdc5540x57.text
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xde0000x10f8.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xe00000xc.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x20000xda5b40xda600False0.651946864267data7.02711438354IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                              .rsrc0xde0000x10f80x1200False0.377604166667data4.90372949588IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .reloc0xe00000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountry
                                                              RT_VERSION0xde0a00x32cdata
                                                              RT_MANIFEST0xde3cc0xd25XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

                                                              Imports

                                                              DLLImport
                                                              mscoree.dll_CorExeMain

                                                              Version Infos

                                                              DescriptionData
                                                              Translation0x0000 0x04b0
                                                              LegalCopyrightCopyright 2017 - 2021
                                                              Assembly Version1.0.0.0
                                                              InternalNameAhdM.exe
                                                              FileVersion1.0.0.0
                                                              CompanyName
                                                              LegalTrademarks
                                                              Comments
                                                              ProductNamePharmacy POS
                                                              ProductVersion1.0.0.0
                                                              FileDescriptionPharmacy POS
                                                              OriginalFilenameAhdM.exe

                                                              Network Behavior

                                                              No network behavior found

                                                              Code Manipulations

                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              Analysis Process: G9xXUq625O.exe PID: 6320 Parent PID: 5880

                                                              General

                                                              Start time:18:09:07
                                                              Start date:10/06/2021
                                                              Path:C:\Users\user\Desktop\G9xXUq625O.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Users\user\Desktop\G9xXUq625O.exe'
                                                              Imagebase:0xe50000
                                                              File size:900096 bytes
                                                              MD5 hash:9A188A4B5AB76F5D53892F7BCD5DFBEB
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Yara matches:
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.431520750.000000000426A000.00000004.00000001.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.431520750.000000000426A000.00000004.00000001.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.429711902.0000000003263000.00000004.00000001.sdmp, Author: Joe Security
                                                              Reputation:low

                                                              Chronological Activities

                                                              Analysis Process: G9xXUq625O.exe PID: 7144 Parent PID: 6320

                                                              General

                                                              Start time:18:09:52
                                                              Start date:10/06/2021
                                                              Path:C:\Users\user\Desktop\G9xXUq625O.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:{path}
                                                              Imagebase:0xce0000
                                                              File size:900096 bytes
                                                              MD5 hash:9A188A4B5AB76F5D53892F7BCD5DFBEB
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Yara matches:
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.425863712.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.425863712.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.601783516.0000000003141000.00000004.00000001.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.601783516.0000000003141000.00000004.00000001.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.599032014.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000002.599032014.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                              Reputation:low

                                                              Chronological Activities

                                                              Disassembly

                                                              Code Analysis

                                                              Reset < >

                                                                Analysis Process: G9xXUq625O.exe PID: 6320 Parent PID: 5880 G9xXUq625O.exeCOMMON

                                                                Executed Functions

                                                                Function 07B295E1, Relevance: 4.1, Strings: 3, Instructions: 308COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID: lZ=6$lZ=6$lZ=6
                                                                • API String ID: 0-2890344745
                                                                • Opcode ID: 0b52aa2a5f5ee95bf37afd05e60c14d89d5bb07fcbc0156110c355be9034cc5b
                                                                • Instruction ID: 815d8283307111b00dc4a96b02ae7fa28337112fc99bb2d2fc2596126906a6b9
                                                                • Opcode Fuzzy Hash: 0b52aa2a5f5ee95bf37afd05e60c14d89d5bb07fcbc0156110c355be9034cc5b
                                                                • Instruction Fuzzy Hash: 81D17CB0E1621ACFDB04CFA5C4858AEFBB6FF8A340F148595D419BB214D734AA42CF94
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B29610, Relevance: 4.1, Strings: 3, Instructions: 302COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID: lZ=6$lZ=6$lZ=6
                                                                • API String ID: 0-2890344745
                                                                • Opcode ID: 5411afecf012c0a69aebd2b0f5d76244600dd1072ef1a2d7c6a84804e561fd5b
                                                                • Instruction ID: a7258e39c5fff864c5401af3e71e046729053b359bd852b2a1e1c9856eec4939
                                                                • Opcode Fuzzy Hash: 5411afecf012c0a69aebd2b0f5d76244600dd1072ef1a2d7c6a84804e561fd5b
                                                                • Instruction Fuzzy Hash: 8AD14DB0D1221ADFDB04CFA6C4858AEFBB6FF8A340F148595D419BB214D734AA42CF94
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B22C30, Relevance: .6, Instructions: 629COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7ce13f8ae7bb5a60d4a4591c5d39029313cef0da1e7dd068df5a929bdddc63e8
                                                                • Instruction ID: dc9e49a347bd5fe38f9af1b891deb5b565f2f33d7f8ade2d7fdfd191e0897fe1
                                                                • Opcode Fuzzy Hash: 7ce13f8ae7bb5a60d4a4591c5d39029313cef0da1e7dd068df5a929bdddc63e8
                                                                • Instruction Fuzzy Hash: F932B1B1B052258FDB18DF68C4946AEBBF2FF85200F1680A9D50ADB361DB35DC42DB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B22145, Relevance: .5, Instructions: 543COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fa8c31ed8c52eeba4661e53d2a4693924517ef4549cd4cfda7358e93b80a5fac
                                                                • Instruction ID: 85f193e392e5d8087781a0c1315b9d41e14a47e77cad19a03f2376d93e866b40
                                                                • Opcode Fuzzy Hash: fa8c31ed8c52eeba4661e53d2a4693924517ef4549cd4cfda7358e93b80a5fac
                                                                • Instruction Fuzzy Hash: 3542D774A051299FCB64EF24C998AADB7B6FF89304F1141D9D50AA73A4CF30AD81CF91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B23A60, Relevance: .3, Instructions: 315COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2240636b6bee78a146b9a1674710d9737459425c12741d78a08e910b307ecb39
                                                                • Instruction ID: 5107c2319352aa2a794575a2b39206904a4d83b18ac30ef5c3535c91ecd3a121
                                                                • Opcode Fuzzy Hash: 2240636b6bee78a146b9a1674710d9737459425c12741d78a08e910b307ecb39
                                                                • Instruction Fuzzy Hash: B4D10CB5E01219DFDB14DFA9C984A9DBBF2FF89300F1181A9E509AB364DB349846CF50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B2DCA8, Relevance: .2, Instructions: 246COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4a99d2223bd09f1bc6ad0bfda9fe910dadbf17f6e06d67a32c280a90941715f6
                                                                • Instruction ID: 5e4cd6cf8e9268fe5032954b61f8ec7426e21915bca8fe6a2c9665d61bff9eb5
                                                                • Opcode Fuzzy Hash: 4a99d2223bd09f1bc6ad0bfda9fe910dadbf17f6e06d67a32c280a90941715f6
                                                                • Instruction Fuzzy Hash: A4A123B4E052698FDB04CFE9C5846DEFBF2BF89340F148569D408AB258E7349942CB65
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B26FFE, Relevance: .2, Instructions: 207COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4c64d73f4da31c93d44d44b90cdde3f10eaae224422ca97e3d5b0fec1b4f184d
                                                                • Instruction ID: 49ffcb14ea658a8e5b0f8bd70434777260092f8f753832e0a39b91a478bafd75
                                                                • Opcode Fuzzy Hash: 4c64d73f4da31c93d44d44b90cdde3f10eaae224422ca97e3d5b0fec1b4f184d
                                                                • Instruction Fuzzy Hash: E18135B4E052199FCB08CFE9D8809EEFBB2BF89304F10906AD515AB364D7319946CF55
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B27060, Relevance: .2, Instructions: 195COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2d21ba6556a838a872696e874fb860fa038cab66def82bf2ae3dab1369e39ee8
                                                                • Instruction ID: 71dbfeb72acb2d9dd1652415e4b7a19767a98f9da17c11bd0e61751d7e1f59de
                                                                • Opcode Fuzzy Hash: 2d21ba6556a838a872696e874fb860fa038cab66def82bf2ae3dab1369e39ee8
                                                                • Instruction Fuzzy Hash: 2881A5B4E112198FDB08CFEAD84499EBBB2FF89300F10946AD519AB354DB349945CF54
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B2705A, Relevance: .2, Instructions: 192COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 32734bb979fd7ee3b13f367753daba523e0b60f42decdc26d7e9f2a5725ea7f4
                                                                • Instruction ID: 70eb4756c96d6080075b85753b465f3713d121f7222be2bf14586fe232c0da87
                                                                • Opcode Fuzzy Hash: 32734bb979fd7ee3b13f367753daba523e0b60f42decdc26d7e9f2a5725ea7f4
                                                                • Instruction Fuzzy Hash: EF81C5B4E112198FDB08CFE9C944AAEBBB2FF89300F10942AD519BB354DB349946CF54
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B27CA8, Relevance: .2, Instructions: 157COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 343bf296bc2b8c5501d1fd7ce9c80a96c0167126d27df7c6a4f1caa32f18d1d2
                                                                • Instruction ID: 100415119790a245d50cf336758f26e0ece00133980416f0bfe45f6273b9b7dc
                                                                • Opcode Fuzzy Hash: 343bf296bc2b8c5501d1fd7ce9c80a96c0167126d27df7c6a4f1caa32f18d1d2
                                                                • Instruction Fuzzy Hash: 0B515DB0E15619DFDB08CFA6C4405AEFBF2FF89340F14946AD509B7264EB344A02DB68
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B26090, Relevance: .2, Instructions: 152COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6799f42141e2f088f4dc748e22dee82d359929ba29ce2da83621af7aae78e94b
                                                                • Instruction ID: d75ba49b7d745d2f1f4ad81ee996bbb3f15ada651e5f45c0ef085a7fc0164d53
                                                                • Opcode Fuzzy Hash: 6799f42141e2f088f4dc748e22dee82d359929ba29ce2da83621af7aae78e94b
                                                                • Instruction Fuzzy Hash: 7C51F5B4E01219DFDB14DFA9C9806EEFBB2FF89304F14C56AD418A7255DB34A942CB90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B27CB8, Relevance: .1, Instructions: 149COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3443490fca8e6d1971c1fe527b76e4f037cfd4cd6a258b3b6bd93150bcf468b1
                                                                • Instruction ID: 69854ca6d6adeca11f8061e0d84e37b3184c70c10aad76fdeb0040881cc07956
                                                                • Opcode Fuzzy Hash: 3443490fca8e6d1971c1fe527b76e4f037cfd4cd6a258b3b6bd93150bcf468b1
                                                                • Instruction Fuzzy Hash: 99514DB0D15619DFDB08CFAAC4405AEFBF2FF89340F14D56AD509B7264EB344A029B68
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B241DC, Relevance: .1, Instructions: 100COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0e8ccf94b324cbe80dc42d3de2469c890945eb3873722b840654a1862ab8e57b
                                                                • Instruction ID: 8007db8d673980ccf7823f44b0fe9a670493f8adf04cdbd528621fd9e0d84d45
                                                                • Opcode Fuzzy Hash: 0e8ccf94b324cbe80dc42d3de2469c890945eb3873722b840654a1862ab8e57b
                                                                • Instruction Fuzzy Hash: DC41CCB4D05258DFDB10CFA9C584A9EBBF0EB0A314F20902AE418BB250D7709945CF54
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B24619, Relevance: .1, Instructions: 98COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 66952e11d0cfcf92c8dc5f9b3a6de6669405d05936ea0d07c07a2fedbeb67e1d
                                                                • Instruction ID: 87ab71ed7cc46c39ad927a8c7c0435d8621ad9e5470869cc78f7d22b3ac3461b
                                                                • Opcode Fuzzy Hash: 66952e11d0cfcf92c8dc5f9b3a6de6669405d05936ea0d07c07a2fedbeb67e1d
                                                                • Instruction Fuzzy Hash: 983137B4E052189FDB04CFA9D484AAEBBF1FF8A310F15D1AAD818A7360D7309941CF94
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B241E8, Relevance: .1, Instructions: 94COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 92a4d1323a4b9c48186da443d01cd8a1c5bbfaf024c03d34924ac0a19bd42a3c
                                                                • Instruction ID: f1067b279165136651a13e5bff00b9fa1108edfb2fe80d314ba0e4c5dc09ce44
                                                                • Opcode Fuzzy Hash: 92a4d1323a4b9c48186da443d01cd8a1c5bbfaf024c03d34924ac0a19bd42a3c
                                                                • Instruction Fuzzy Hash: 7341A8B4D052589FDB10DFAAD584BDEBBF0BB0A314F20906AE418BB250DB74A949CF54
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B26508, Relevance: .1, Instructions: 84COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bf503513d00a80d81aeea4d115790a383df8b1e8a7b2738fb3033dec9fa6f697
                                                                • Instruction ID: 3f8be3acac1002c7f92e9206885b8c5c256e82329fdb7bf3b5cf9ba06a54ac10
                                                                • Opcode Fuzzy Hash: bf503513d00a80d81aeea4d115790a383df8b1e8a7b2738fb3033dec9fa6f697
                                                                • Instruction Fuzzy Hash: AF31ECB1E016199BEB58CFABD844B9EBBF7BFC8204F04C1AAD50CA7254EB3059458F11
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B2BD28, Relevance: .1, Instructions: 78COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f5afad7958067a181065922929f0f1077a78d9f31d76b869fa648b9c0e1bc281
                                                                • Instruction ID: 53f4bac70ff460b5602d76091cf52e3791387cb8505348d1ab79d36718f0a357
                                                                • Opcode Fuzzy Hash: f5afad7958067a181065922929f0f1077a78d9f31d76b869fa648b9c0e1bc281
                                                                • Instruction Fuzzy Hash: 0931DCB1E016188BEB58DFABD84079EFBF3AFC8200F04C5BAD508A7214DB305A468F55
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B286E0, Relevance: .1, Instructions: 74COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5fc2540d5bf8a33236b7285743c91cf3d0c933f15b9fe89faaa14ab844d501a8
                                                                • Instruction ID: 700081d1ce73e2c78d96df7d484fd90453fb178a157e276164b40035c7de9897
                                                                • Opcode Fuzzy Hash: 5fc2540d5bf8a33236b7285743c91cf3d0c933f15b9fe89faaa14ab844d501a8
                                                                • Instruction Fuzzy Hash: AE31B4B1E016188BEB18CFABD8447DEFBB2AFC8340F14C16AD509A6254DB341A468F90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B286D0, Relevance: .1, Instructions: 73COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8d4d2ea8ad941cc64b1338dc00427c21b7a803813f114833ff584120406f7b06
                                                                • Instruction ID: ceaa610460b30612dc347265501d344b7bd955d69cd80c6cbf84e06e8350ef87
                                                                • Opcode Fuzzy Hash: 8d4d2ea8ad941cc64b1338dc00427c21b7a803813f114833ff584120406f7b06
                                                                • Instruction Fuzzy Hash: DD31C7B0E016188BEB19CFABD85479EBFF3AFC9340F14C16AD409A6264DB741A46CF54
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B2466C, Relevance: .1, Instructions: 63COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 083c75bfe3f59a5404196d56b7a2d1aca93e4791fd909b4065ff3e534d34adf9
                                                                • Instruction ID: 09c4cd4c3ed38d8ae0c68180e1f4f9757d01baa731acbed8fe162dc6ede634cb
                                                                • Opcode Fuzzy Hash: 083c75bfe3f59a5404196d56b7a2d1aca93e4791fd909b4065ff3e534d34adf9
                                                                • Instruction Fuzzy Hash: 7A21A3B4D01219DFDB04DFAAC4846EEBBF1EB4A350F10D165E828B7250D7349941DF58
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B24678, Relevance: .1, Instructions: 59COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5348b12cc7c87a7badf4f6d7ec92c5c159a201f8e166812ee1be2f6f474b61fa
                                                                • Instruction ID: aaf9ed7d6f2c094205ee36898320bddb1f9afb7ad704b9278a9b308d43eefbfc
                                                                • Opcode Fuzzy Hash: 5348b12cc7c87a7badf4f6d7ec92c5c159a201f8e166812ee1be2f6f474b61fa
                                                                • Instruction Fuzzy Hash: 16219FB4D01219DFDB14DFAAD4446EEBBF1AB4A310F10E169E828B7260D7349941DF98
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 05251716, Relevance: 1.7, APIs: 1, Instructions: 223processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 052518FC
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.432068573.0000000005250000.00000040.00000001.sdmp, Offset: 05250000, based on PE: false
                                                                Similarity
                                                                • API ID: CreateProcess
                                                                • String ID:
                                                                • API String ID: 963392458-0
                                                                • Opcode ID: e16834ca561d1c4f907d077ee476d03dcb390dd1a8730dc726e2405391d4e5b4
                                                                • Instruction ID: 3068747def30f68f55c39593eab611b6c3415f481280014d93725487efb870aa
                                                                • Opcode Fuzzy Hash: e16834ca561d1c4f907d077ee476d03dcb390dd1a8730dc726e2405391d4e5b4
                                                                • Instruction Fuzzy Hash: EC81F375C04269CFDB20CFA8C880BDDBBB1BF09304F1191AAE549B7250DB709A85CF64
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 05251720, Relevance: 1.7, APIs: 1, Instructions: 222processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 052518FC
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.432068573.0000000005250000.00000040.00000001.sdmp, Offset: 05250000, based on PE: false
                                                                Similarity
                                                                • API ID: CreateProcess
                                                                • String ID:
                                                                • API String ID: 963392458-0
                                                                • Opcode ID: cb9eae13a134a3e5e6e5034159b7ecc8a4d144f4238446189e5c000f85edc6cf
                                                                • Instruction ID: 3a2d76b7880a3609e63968c94b950dc0f4c527bfce75794d64d82a6da5939963
                                                                • Opcode Fuzzy Hash: cb9eae13a134a3e5e6e5034159b7ecc8a4d144f4238446189e5c000f85edc6cf
                                                                • Instruction Fuzzy Hash: 8B81F374C04269CFDB20CFA9C880BDDBBB1BF49304F1191AAE549B7250DB709A85CF64
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 05251EBB, Relevance: 1.6, APIs: 1, Instructions: 113injectionCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05251F96
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.432068573.0000000005250000.00000040.00000001.sdmp, Offset: 05250000, based on PE: false
                                                                Similarity
                                                                • API ID: MemoryProcessWrite
                                                                • String ID:
                                                                • API String ID: 3559483778-0
                                                                • Opcode ID: 3c6090591dcc08eb5419784b6342ea1fd1d42425492815b1d2155cb17d315d05
                                                                • Instruction ID: 491d0c3e2180c7517f519186d94902c4162a0d7764d73f5de03e8564931076ef
                                                                • Opcode Fuzzy Hash: 3c6090591dcc08eb5419784b6342ea1fd1d42425492815b1d2155cb17d315d05
                                                                • Instruction Fuzzy Hash: D84188B5D042589FCB00CFA9D984ADEFBF1BB09324F24902AE819B7310D374AA55CB64
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 05251EC0, Relevance: 1.6, APIs: 1, Instructions: 112injectionCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05251F96
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.432068573.0000000005250000.00000040.00000001.sdmp, Offset: 05250000, based on PE: false
                                                                Similarity
                                                                • API ID: MemoryProcessWrite
                                                                • String ID:
                                                                • API String ID: 3559483778-0
                                                                • Opcode ID: 944faab5c8f4b3b15d7e5f217814bb89c4e1d302b502be57b33f83c4e526ee54
                                                                • Instruction ID: d4955cdd4189fd12ae8e7e8827a2b018e5944d8192f2c94ca8c37d547e5012d8
                                                                • Opcode Fuzzy Hash: 944faab5c8f4b3b15d7e5f217814bb89c4e1d302b502be57b33f83c4e526ee54
                                                                • Instruction Fuzzy Hash: 744188B5D042589FCB00CFA9D984ADEFBF1BB09324F24902AE818B7210D374AA55CB64
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 05251C88, Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05251D45
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.432068573.0000000005250000.00000040.00000001.sdmp, Offset: 05250000, based on PE: false
                                                                Similarity
                                                                • API ID: MemoryProcessRead
                                                                • String ID:
                                                                • API String ID: 1726664587-0
                                                                • Opcode ID: 1a27d4ec19decb3f5f11e4d1d0170f22591a978ee08c693ecd24c595fb45e4b3
                                                                • Instruction ID: 6099a7580e8d24f314e01b6122937e2dcb1d5841e8fd71b00b8e9291ceaac2b1
                                                                • Opcode Fuzzy Hash: 1a27d4ec19decb3f5f11e4d1d0170f22591a978ee08c693ecd24c595fb45e4b3
                                                                • Instruction Fuzzy Hash: DC4197B9D04258DFCF10CFAAD984AEEFBB1BB19324F10902AE814B7210D375A945CF64
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 05251C90, Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05251D45
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.432068573.0000000005250000.00000040.00000001.sdmp, Offset: 05250000, based on PE: false
                                                                Similarity
                                                                • API ID: MemoryProcessRead
                                                                • String ID:
                                                                • API String ID: 1726664587-0
                                                                • Opcode ID: 7b1b08ed3b1cf04e063032ee98fe02145e17746cb9e5666377b3cb2f7e6f332e
                                                                • Instruction ID: c4dcfe41353d93ac81f5ddc69fbc6989347d70937d028ad132cd605e57fab333
                                                                • Opcode Fuzzy Hash: 7b1b08ed3b1cf04e063032ee98fe02145e17746cb9e5666377b3cb2f7e6f332e
                                                                • Instruction Fuzzy Hash: 1A4176B9D042589FCF10CFAAD984ADEFBB5BB19320F10902AE814B7210D375A945CF64
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 05251DAB, Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05251E5D
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.432068573.0000000005250000.00000040.00000001.sdmp, Offset: 05250000, based on PE: false
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: bb7fbb6492300d1fed35c66bbbdca8caa78635c7bfccde7e7ea30c764f42312e
                                                                • Instruction ID: d799ca21836cdbc3eadd9db11e4663485df857f1fb4b29fbf3af219b3b51e882
                                                                • Opcode Fuzzy Hash: bb7fbb6492300d1fed35c66bbbdca8caa78635c7bfccde7e7ea30c764f42312e
                                                                • Instruction Fuzzy Hash: DC3185B8D04258DFCF10CFA9D880A9EFBB5BB09320F10A02AE818B7310D735A945CF64
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 05251DB0, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05251E5D
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.432068573.0000000005250000.00000040.00000001.sdmp, Offset: 05250000, based on PE: false
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 1e4ff7464a498628394ceeb0256b8910f5414025d0723738b60106a2f97aad6a
                                                                • Instruction ID: 87536ba3cddd0ffc34f06aa8adc57240cfa393771a5ea23b5c80b014b153cd2b
                                                                • Opcode Fuzzy Hash: 1e4ff7464a498628394ceeb0256b8910f5414025d0723738b60106a2f97aad6a
                                                                • Instruction Fuzzy Hash: 423165B8D04258DFCF10CFA9D984A9EFBB5BB19320F10902AE818B7310D775A945CF65
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 05251B73, Relevance: 1.6, APIs: 1, Instructions: 91threadinjectionCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetThreadContext.KERNELBASE(?,?), ref: 05251C2A
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.432068573.0000000005250000.00000040.00000001.sdmp, Offset: 05250000, based on PE: false
                                                                Similarity
                                                                • API ID: ContextThread
                                                                • String ID:
                                                                • API String ID: 1591575202-0
                                                                • Opcode ID: f61858489fba454242d02003f49cc292ece308b969cca48fc216d04bf876e983
                                                                • Instruction ID: edc96588a73f114e48ed9c7949bdf23cef680570fce2f6fe6ef2dade734ae202
                                                                • Opcode Fuzzy Hash: f61858489fba454242d02003f49cc292ece308b969cca48fc216d04bf876e983
                                                                • Instruction Fuzzy Hash: 8131B8B5D002589FCB10CFAAD884ADEFBF0BF49314F24802AE418B7210D778AA45CF64
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 05251B78, Relevance: 1.6, APIs: 1, Instructions: 90threadinjectionCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetThreadContext.KERNELBASE(?,?), ref: 05251C2A
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.432068573.0000000005250000.00000040.00000001.sdmp, Offset: 05250000, based on PE: false
                                                                Similarity
                                                                • API ID: ContextThread
                                                                • String ID:
                                                                • API String ID: 1591575202-0
                                                                • Opcode ID: 79a5c58f9d04592ebaa4a9aadcada87cb82d73fca34af0def034497268515816
                                                                • Instruction ID: 142c8cd0a1bee25d07a0c8d4ab95368cf062a7f8f6eb3b85769ebf951436c4b8
                                                                • Opcode Fuzzy Hash: 79a5c58f9d04592ebaa4a9aadcada87cb82d73fca34af0def034497268515816
                                                                • Instruction Fuzzy Hash: 4D31A9B5D052589FCB10CFAAD984ADEFBF1BF49314F24802AE418B7210D779AA45CF64
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 05252490, Relevance: 1.6, APIs: 1, Instructions: 87windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • PostMessageW.USER32(?,?,?,?), ref: 05252533
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.432068573.0000000005250000.00000040.00000001.sdmp, Offset: 05250000, based on PE: false
                                                                Similarity
                                                                • API ID: MessagePost
                                                                • String ID:
                                                                • API String ID: 410705778-0
                                                                • Opcode ID: 3e9e54b39b4cff6edef84ee6d441fd44f148f42cc1ad806d8b426ad7331031fa
                                                                • Instruction ID: e1133de6b7c13b596317402e28ffdbf96f8b50d74db47c3d7be3812b28104203
                                                                • Opcode Fuzzy Hash: 3e9e54b39b4cff6edef84ee6d441fd44f148f42cc1ad806d8b426ad7331031fa
                                                                • Instruction Fuzzy Hash: 713177B9D00248AFCB10CFA9E584ADEFBF5BB59320F14901AE814B7310D375A945CF64
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 05252498, Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • PostMessageW.USER32(?,?,?,?), ref: 05252533
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.432068573.0000000005250000.00000040.00000001.sdmp, Offset: 05250000, based on PE: false
                                                                Similarity
                                                                • API ID: MessagePost
                                                                • String ID:
                                                                • API String ID: 410705778-0
                                                                • Opcode ID: 4adcf7fa7c97cb01d8a77df8c773294b427008e48351e50cba407930fe1df5e1
                                                                • Instruction ID: d7faa4961a2b5a49bd99353d3228b2e62c102c8b6a617c3bc603b0f71ff0ebce
                                                                • Opcode Fuzzy Hash: 4adcf7fa7c97cb01d8a77df8c773294b427008e48351e50cba407930fe1df5e1
                                                                • Instruction Fuzzy Hash: B13166B9D00258AFCB14CFA9E984A9EFBF5AB59320F14901AE814B7310D375A945CFA4
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 052520E0, Relevance: 1.6, APIs: 1, Instructions: 71threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ResumeThread.KERNELBASE(?), ref: 05252166
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.432068573.0000000005250000.00000040.00000001.sdmp, Offset: 05250000, based on PE: false
                                                                Similarity
                                                                • API ID: ResumeThread
                                                                • String ID:
                                                                • API String ID: 947044025-0
                                                                • Opcode ID: 34fa0d01202113063b013e6c0de36e75ec5270f9c26055f711ed23a64dc2ea89
                                                                • Instruction ID: 0b37683fe95972505c3af69bf9e36981dbc233364bd62bfeb12280ccee86574e
                                                                • Opcode Fuzzy Hash: 34fa0d01202113063b013e6c0de36e75ec5270f9c26055f711ed23a64dc2ea89
                                                                • Instruction Fuzzy Hash: 5431A8B8D002089FCB10CFA9D884ADEFBF4BB49324F14945AE918B3300D735A845CFA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 052520E8, Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ResumeThread.KERNELBASE(?), ref: 05252166
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.432068573.0000000005250000.00000040.00000001.sdmp, Offset: 05250000, based on PE: false
                                                                Similarity
                                                                • API ID: ResumeThread
                                                                • String ID:
                                                                • API String ID: 947044025-0
                                                                • Opcode ID: 425e8ba0cbefbbe9c556675d04ad35a221c950b1f1071ca574c697c4658c0a01
                                                                • Instruction ID: 6688e041d187b16f8db7b746fd86deb7c3e20f9bc9791dcb26f2752f0b7fad4c
                                                                • Opcode Fuzzy Hash: 425e8ba0cbefbbe9c556675d04ad35a221c950b1f1071ca574c697c4658c0a01
                                                                • Instruction Fuzzy Hash: 402197B8D002189FCB10CFA9D884ADEFBF4BB49324F14945AE918B3300D775A945CFA4
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B25E80, Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID: E
                                                                • API String ID: 0-3568589458
                                                                • Opcode ID: cc562ae4cc3251ecd521c11b60d6eea7d62f52d54ce77ca08dd7556ab8c0a4cb
                                                                • Instruction ID: 3c3b03da63c83c086762fb4a86b8bcbbd5a0499293dbc35c5e078989f5ef11da
                                                                • Opcode Fuzzy Hash: cc562ae4cc3251ecd521c11b60d6eea7d62f52d54ce77ca08dd7556ab8c0a4cb
                                                                • Instruction Fuzzy Hash: BC2148B5606159AFD724AB64D814E6E7FA6EFC2240F06C0EEE509DB3B1CE308802D761
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B25E70, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID: E
                                                                • API String ID: 0-3568589458
                                                                • Opcode ID: ff9987f1dd3d88b6be2014f6914bc9b8ed289186655c82f52d7ac99e12623e9d
                                                                • Instruction ID: 837bd6136afb1d821ef02ca305800246b2e13a283289656b23c5159eb8f512e0
                                                                • Opcode Fuzzy Hash: ff9987f1dd3d88b6be2014f6914bc9b8ed289186655c82f52d7ac99e12623e9d
                                                                • Instruction Fuzzy Hash: 31119E7620E2956FD7265774DC14D5A3FAAEF83250B0640EAF648CB2B2CB258C12DB61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B25F48, Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID: E
                                                                • API String ID: 0-3568589458
                                                                • Opcode ID: 2103a89c59d0102c7555305c0934babdb5c5c9bf08ba465a3649e84ef81557cb
                                                                • Instruction ID: 708017c5a1dd6c04ebd67aabb71ce33dc208ad29a344a0481d1c4f634326122c
                                                                • Opcode Fuzzy Hash: 2103a89c59d0102c7555305c0934babdb5c5c9bf08ba465a3649e84ef81557cb
                                                                • Instruction Fuzzy Hash: 21E0E5BA026245AFDB065FA0DC48E917FB6BF0625070A90DAF648CB1B3C326C564EF11
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B235B0, Relevance: .3, Instructions: 308COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c5fccc258029bc5dee0a570ffc6618e526389b5fc6bb7a44b9bf8638e758be3d
                                                                • Instruction ID: d336723c81e6afb4b549112a292f7f0ddc263964d5c50548b07f4e1c773251c4
                                                                • Opcode Fuzzy Hash: c5fccc258029bc5dee0a570ffc6618e526389b5fc6bb7a44b9bf8638e758be3d
                                                                • Instruction Fuzzy Hash: E3C16EB0B011199FDB14EF64D858AAE7BF6EF89644F158069E50ADB3A0CF34DC02DB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B25710, Relevance: .2, Instructions: 210COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d76fe4cb37980e24b8c8526bb21514e169a7a75455c95365e03a7936e5995b5a
                                                                • Instruction ID: 341396b558ccb1f0f8706352348ee50a3365cad3b0f321c4efbceb44b72aef30
                                                                • Opcode Fuzzy Hash: d76fe4cb37980e24b8c8526bb21514e169a7a75455c95365e03a7936e5995b5a
                                                                • Instruction Fuzzy Hash: A291F374D01229DFDB24DFA5C844BDDBBB2BF49304F2084E9D508AB250DB74AA86CF91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B24950, Relevance: .2, Instructions: 167COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ade2801c5a134212e037943f407f09d90dfbffb600fcaf79cb85dbfdaadbb4a6
                                                                • Instruction ID: 7e6f7dd6e8a2930caf3abaca0d0da8685ad4275f06b3d4a3c344ee44eb41c11e
                                                                • Opcode Fuzzy Hash: ade2801c5a134212e037943f407f09d90dfbffb600fcaf79cb85dbfdaadbb4a6
                                                                • Instruction Fuzzy Hash: 10614875A00619DFDB14DFA9C498A9DBBB1FF88350F218169E509AB360DB70ED81CF80
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B24941, Relevance: .2, Instructions: 157COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0326a87fb28ebd9acdc47ab6d08347428176423d9477f70b6bd37d9a69103e63
                                                                • Instruction ID: ebac4ebf8e65ff9140b25852beb5c1a38b8378aea58757d8667e358598f32876
                                                                • Opcode Fuzzy Hash: 0326a87fb28ebd9acdc47ab6d08347428176423d9477f70b6bd37d9a69103e63
                                                                • Instruction Fuzzy Hash: BB616974A00619DFDB14DFA9C498A9DBBB1FF88354F118559E409AB3A0DB30ED81CF80
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B24038, Relevance: .1, Instructions: 148COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 599f4609b33f1c7a4d8f5c8bf6b51bd620cb49225066d80219734c168152dbc0
                                                                • Instruction ID: c8564ca2beace17fd1986e4080ce7462efc165e452f3fd089ab5b07f95931948
                                                                • Opcode Fuzzy Hash: 599f4609b33f1c7a4d8f5c8bf6b51bd620cb49225066d80219734c168152dbc0
                                                                • Instruction Fuzzy Hash: B441BD75B002158FCB10DB79C8485BEBBF6EFC42247258969E569CB350EF30DC068B90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B26080, Relevance: .1, Instructions: 110COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d91e9f8f12f356251ee9e1aa89fcaaff882818e809b1ac778e49f28e7354e03f
                                                                • Instruction ID: c33b39c9039857654018528db0287d8a699bc1e4c020bdbcac724ae79fb997b2
                                                                • Opcode Fuzzy Hash: d91e9f8f12f356251ee9e1aa89fcaaff882818e809b1ac778e49f28e7354e03f
                                                                • Instruction Fuzzy Hash: 7741E7B4E01218DFDB08DFAAC9406AEBBF2FF89304F14C06AD418AB754DB349946CB51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B26258, Relevance: .1, Instructions: 102COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 292c179c155dded16e7428ae426e5204438b8f9d387f3f1485935ac1c5ee4540
                                                                • Instruction ID: 2e8b6befe3c07c16b1321e3273d3c7df7e5ce844583e855f94c970b8bf0d5047
                                                                • Opcode Fuzzy Hash: 292c179c155dded16e7428ae426e5204438b8f9d387f3f1485935ac1c5ee4540
                                                                • Instruction Fuzzy Hash: 2F41F6B4E01218DFDB18CFA5D984ADEBBB2BF89304F149129E505BB7A4DB709806CF45
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B2C890, Relevance: .1, Instructions: 99COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f292ae772826da52191265a6e78b3a015be67da205188ce22de1e89da02afbc6
                                                                • Instruction ID: e15fc8ac4ca132595e8e9fe2cc091f3c36debd2978d29f3377585c056d33b9b2
                                                                • Opcode Fuzzy Hash: f292ae772826da52191265a6e78b3a015be67da205188ce22de1e89da02afbc6
                                                                • Instruction Fuzzy Hash: E2418DB4A11209DFDB14DFA9E48868DBFB2FB88384F10D465E51AD7364DB349942CF50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B2C882, Relevance: .1, Instructions: 99COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dae16f598f7a62ec99608a30ded973fcb491d1e324cb50fe87e20587c455fff3
                                                                • Instruction ID: 391ab72d133675ef7ce60205de34024a3223b3f602c8a0849954b8b806c0371a
                                                                • Opcode Fuzzy Hash: dae16f598f7a62ec99608a30ded973fcb491d1e324cb50fe87e20587c455fff3
                                                                • Instruction Fuzzy Hash: 3C41ACB4A15209CFDB04DFA9E48868DBFB2FB88384F10D465E11ADB264DB349942CF50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B26268, Relevance: .1, Instructions: 97COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1c73e029b20e81c0f61c89de404221cca2c0f72571cf2c4ddec8b319402894fb
                                                                • Instruction ID: c842584919921dd3369e39050558c766bc91f29e5b2a7b1adeb21aa4567eb0bc
                                                                • Opcode Fuzzy Hash: 1c73e029b20e81c0f61c89de404221cca2c0f72571cf2c4ddec8b319402894fb
                                                                • Instruction Fuzzy Hash: 5341D3B4E012189FDB18CFA9D984ADEBBB2BF88304F149029E505BB764DB709806CF54
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B27ED9, Relevance: .1, Instructions: 92COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8bb6c63e136a5f2419814204419589e8be208272ab264b275b1bff22e96cb835
                                                                • Instruction ID: ee345f162152f9cc70cb0b107adb5e9f697dbb4525daa6e7d91df003bf745a7a
                                                                • Opcode Fuzzy Hash: 8bb6c63e136a5f2419814204419589e8be208272ab264b275b1bff22e96cb835
                                                                • Instruction Fuzzy Hash: D34115B4E1521ADFCB44CFA5C4809AEBBF2FB88340F1094AAD419E7754E7349A02CF90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B25700, Relevance: .1, Instructions: 89COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5f0bae61cfb83ef63db8b83de198cbc776a4aa9077c375778afe33490da4a950
                                                                • Instruction ID: eb3a10680c11cc511cbbe43a8a91a3b8815edcbb75be5da5c78370b4cc0384e9
                                                                • Opcode Fuzzy Hash: 5f0bae61cfb83ef63db8b83de198cbc776a4aa9077c375778afe33490da4a950
                                                                • Instruction Fuzzy Hash: 0D3109B1D01229CFDB28DFA6D8407DEBBB2FF85300F1081AAD508A7254DB345A86CF91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B27EE8, Relevance: .1, Instructions: 88COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 11889efe7ee8aa274e44574d256b47a1a02632ccc2cd404dd6939a949967e0b2
                                                                • Instruction ID: 5ec7db0ef3d960e32e3f9503168902b83b0c93ac4455518488a8d79f364bbf4a
                                                                • Opcode Fuzzy Hash: 11889efe7ee8aa274e44574d256b47a1a02632ccc2cd404dd6939a949967e0b2
                                                                • Instruction Fuzzy Hash: 2B3107B4E15219DFCB44CFAAC5809AEFBF2FB88340F10956AD419A7714D7349A42CF94
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B29C18, Relevance: .1, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4ac01eb2d5a8557771919a17fbe437e06d09413a67e1818f416ead46e25077e7
                                                                • Instruction ID: cb015bbddc838eef2cbfc3b6149747e2287ecdc48ab96cfe0caf303bba8251d7
                                                                • Opcode Fuzzy Hash: 4ac01eb2d5a8557771919a17fbe437e06d09413a67e1818f416ead46e25077e7
                                                                • Instruction Fuzzy Hash: 083149B0D1521ADBDB44CFA6C54059EFBF6BB89340F20D4AAC419B7228E7309B41DF50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B29C08, Relevance: .1, Instructions: 73COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 499c7ca0d4652ab3d9b2d240c1d8cbe72044e7d3b8e59a2a090b320d94a2ad73
                                                                • Instruction ID: 856eef9a69b918a8edf7b852b1883bd0f4eb1925565748f79bffa66b3f63568b
                                                                • Opcode Fuzzy Hash: 499c7ca0d4652ab3d9b2d240c1d8cbe72044e7d3b8e59a2a090b320d94a2ad73
                                                                • Instruction Fuzzy Hash: 8A319CB091921ADBDB04CFA5C58059EBBF2BF89340F24C5AAC419BB264D3309B42DF10
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B28028, Relevance: .1, Instructions: 70COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2bafc56f039cc4ab3f18e4140bd04927af18a28edca1e9d3dc6e028cecfde857
                                                                • Instruction ID: fa13ea670e8d3e46424640ffb723e283285e8850a38639fb7f1abed9a9a399c0
                                                                • Opcode Fuzzy Hash: 2bafc56f039cc4ab3f18e4140bd04927af18a28edca1e9d3dc6e028cecfde857
                                                                • Instruction Fuzzy Hash: D5214BB4E0421ACFDB04CFA5C58059EBBF2FF8A200F14C5AAC514E7361D3349A02CB51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B2DA10, Relevance: .1, Instructions: 66COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 902091389d8a47e32f59e27da07841a775521703186bdadf4fdf100737ed8865
                                                                • Instruction ID: f3986677f49a9fa121a4dbe5ccaf5e52827a44641b6165d2c1852585a762944a
                                                                • Opcode Fuzzy Hash: 902091389d8a47e32f59e27da07841a775521703186bdadf4fdf100737ed8865
                                                                • Instruction Fuzzy Hash: D6212A74E142198FDB44CFAAD4456DEBBF6FB89250F10C46AD919B3304DB345942CF90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B28038, Relevance: .1, Instructions: 64COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c16a44c01a010cd60e97779325d1d8a389e544680e703182ad1d1ed441308e7d
                                                                • Instruction ID: 2cae4ed215bb4264736dfee4ec231dd7c147923e88f2c2ebcd1ce9fe27fdee90
                                                                • Opcode Fuzzy Hash: c16a44c01a010cd60e97779325d1d8a389e544680e703182ad1d1ed441308e7d
                                                                • Instruction Fuzzy Hash: 2621F2B4E0521ADFDB44DFA9C5419AEBBF2BB89300F10C5AAC518A7314D730AA02CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B24028, Relevance: .1, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b468b460d155560e2c4ecbe380063cb1419c2a84b2b96b47ecc73d5257a0ab73
                                                                • Instruction ID: 9c66ecd7388c50223e87494290e3ae337fc78fdf7c9dd5095c1dee82321c9486
                                                                • Opcode Fuzzy Hash: b468b460d155560e2c4ecbe380063cb1419c2a84b2b96b47ecc73d5257a0ab73
                                                                • Instruction Fuzzy Hash: 1F11A3B5B003169F8B15DA69984447FBBFBEFC82A0315492DE459D7340EF309D068761
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B2F360, Relevance: .1, Instructions: 61COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 57ddc082769ba938a822684bec874c3a29bfe7a13bf09e5be9dfa5276e963248
                                                                • Instruction ID: e9deaabce20f5aa5ce17d2125e9e62e59813b81f0ab22d0fd550d9612d63d792
                                                                • Opcode Fuzzy Hash: 57ddc082769ba938a822684bec874c3a29bfe7a13bf09e5be9dfa5276e963248
                                                                • Instruction Fuzzy Hash: 4E11E3B0B091258FEB249B7989102BE76B6EF85250F14856DE50EC7380EF34CC4297D1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B23F58, Relevance: .1, Instructions: 58COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e9992db6e1fa7ccda2ea5f7d79fd0208ea03213846e82147e70b033633bccddc
                                                                • Instruction ID: 42d1e2d980a5191c3bb187a48e32fca82198271aaa2229fcd834d96fa61ec858
                                                                • Opcode Fuzzy Hash: e9992db6e1fa7ccda2ea5f7d79fd0208ea03213846e82147e70b033633bccddc
                                                                • Instruction Fuzzy Hash: 26115E71B002158F8B18EBB898106EFB7F6EFC4254B104079C608E7740FF328D4A8BA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B29D40, Relevance: .1, Instructions: 57COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 83dfcd6904ed53bb334afd2609be371b4571d0fd8fcdb754a9042c40f4816e9e
                                                                • Instruction ID: b575bead62dda55569a66dc776d9fc7ee845dc31a8bab1be44419f584eca2488
                                                                • Opcode Fuzzy Hash: 83dfcd6904ed53bb334afd2609be371b4571d0fd8fcdb754a9042c40f4816e9e
                                                                • Instruction Fuzzy Hash: ED216D74E052459FCB05CFA9C54898DFBF2AF89240F19C5DAD418AB365DB34DA02DB40
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B26430, Relevance: .1, Instructions: 57COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c7e02648947c6582a71b640d6ff5779b112e4e7381474b86334fc83ffa34dcd3
                                                                • Instruction ID: 838e2a2b45a8f92f163d249bb1ca8f2c472ac41de70b389f7e2cab990a372979
                                                                • Opcode Fuzzy Hash: c7e02648947c6582a71b640d6ff5779b112e4e7381474b86334fc83ffa34dcd3
                                                                • Instruction Fuzzy Hash: E011E270A16209DFC700FFB8E449A9EBBB5EF4124DF0088ADD1089B221EB759E05DB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B29D50, Relevance: .1, Instructions: 56COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 813a5eecfc665a792611fd44d462ecd560be06a0a7c26f5afc5de41a8b5460db
                                                                • Instruction ID: 54b14b75f0f609c82da7920e95b4e76d0c8ddd3e6af94cc98c209125edb00c99
                                                                • Opcode Fuzzy Hash: 813a5eecfc665a792611fd44d462ecd560be06a0a7c26f5afc5de41a8b5460db
                                                                • Instruction Fuzzy Hash: 3E111774E01118EFDB44DFA9C548A9EFBF6EF88240F14C4A9D418A7324DB30EA42DB40
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B23F21, Relevance: .0, Instructions: 48COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9431b4f962128be52055a66acfaa478247e28cdb7aa28f307714fb0e4b11fedd
                                                                • Instruction ID: fcf0d7d4c592f5b56cf97e0f69866cfa76ea979bd3369d35014fedfd986ed40e
                                                                • Opcode Fuzzy Hash: 9431b4f962128be52055a66acfaa478247e28cdb7aa28f307714fb0e4b11fedd
                                                                • Instruction Fuzzy Hash: D801A2F1D0A3D5CFCB12ABB458502AE7FB4EF57205B1610EBC194E7253E324890ADB61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B24740, Relevance: .0, Instructions: 40COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3fb6748d43bd445604c4bbfc66bf54ee5515bedd243067a8d7c960bb620557c4
                                                                • Instruction ID: 64bb1f2e6fc653914b915e144c0d4319336f3940ab1b8f55e28c25a687a3ce11
                                                                • Opcode Fuzzy Hash: 3fb6748d43bd445604c4bbfc66bf54ee5515bedd243067a8d7c960bb620557c4
                                                                • Instruction Fuzzy Hash: F5F054B27082655F9314D7AA9CC4C67BBFDEBC9260366807AF508CB351DE309C05C7A0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B2CC82, Relevance: .0, Instructions: 37COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d74fad52e60f140a0b9462118597095887ca41f1a7ad300a085e265e08d804e9
                                                                • Instruction ID: 711fd56fc355fa23195aac4324cb2ee2e2a7c84fee4b7fc7972ba8704121cab8
                                                                • Opcode Fuzzy Hash: d74fad52e60f140a0b9462118597095887ca41f1a7ad300a085e265e08d804e9
                                                                • Instruction Fuzzy Hash: E41135B4A04219CFCB04DFA9E448A8EBBF1FB48388F108615E405AB3A4DB349C45CF50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B24750, Relevance: .0, Instructions: 32COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a5c512acc43451c71145fa601077d692663382b49dee6a513443f47181ee7c2b
                                                                • Instruction ID: c4256bd3b90034f6d333586481c2ca89d1e561a8e7a72dd8ab45435db97ac9ff
                                                                • Opcode Fuzzy Hash: a5c512acc43451c71145fa601077d692663382b49dee6a513443f47181ee7c2b
                                                                • Instruction Fuzzy Hash: 51E039767041286F5314DB6EE884C6BBBEEEBCD664351813AFA08C7310DA309C00C6A0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B23520, Relevance: .0, Instructions: 24COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2ad34c0e96f912f1deaaa435961c7475919849fa889c8dcff001ca352d5e18fc
                                                                • Instruction ID: 5ed3b3a93e7eaf869dd51f71612d3326a77a4048b10691f8a8524c2d8ec1c0a4
                                                                • Opcode Fuzzy Hash: 2ad34c0e96f912f1deaaa435961c7475919849fa889c8dcff001ca352d5e18fc
                                                                • Instruction Fuzzy Hash: C1F0A0B180438AEFCF16CFE4D804A9D7F71FB06320F14869AE9655A1E2CB355512EB51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B2891E, Relevance: .0, Instructions: 23COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2bed45c61f1dc941c9a20eca2afb3959c5f426d27fbf7e484832849d5b15bf81
                                                                • Instruction ID: 5c3c4506270e67d43445bb78b9c83c4e8fa6e70fa81df703743565eba808f77b
                                                                • Opcode Fuzzy Hash: 2bed45c61f1dc941c9a20eca2afb3959c5f426d27fbf7e484832849d5b15bf81
                                                                • Instruction Fuzzy Hash: 19F07F749012698FCB90CFA8CA80ADDBBB1BB48310F1081D5A509EB314DA309E84DF00
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B2F310, Relevance: .0, Instructions: 21COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 84876155140ef33dd6d1dd8c65eacc1da0121ec94c8902ca43b36845364f4fec
                                                                • Instruction ID: 347a449e43e795936634389c8792fccf3afc9c255028300b795f220a289aca26
                                                                • Opcode Fuzzy Hash: 84876155140ef33dd6d1dd8c65eacc1da0121ec94c8902ca43b36845364f4fec
                                                                • Instruction Fuzzy Hash: 11E0C9B4D00219EFCB44EFE8D8456ADBFB5FB08300F1085A9E858A3300D7705651DF85
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B292A7, Relevance: .0, Instructions: 21COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3788f16fdbe2631072598ec4b7fc045e4b5ba5020e6b3f667f06aca82196e7f0
                                                                • Instruction ID: f9e8c411726cc1826eede364f2910c364741cc582424cfc5780d3f72473f5859
                                                                • Opcode Fuzzy Hash: 3788f16fdbe2631072598ec4b7fc045e4b5ba5020e6b3f667f06aca82196e7f0
                                                                • Instruction Fuzzy Hash: 55F05F74916268CFCB65CF64D980ADDBBB1FB09351F4041D5E84AA3310DB31AA81CF00
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B26DFF, Relevance: .0, Instructions: 19COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 67d0e8df5a0e255188e8875a73c9d6621014313cc135d256e169d9f563b0a6b2
                                                                • Instruction ID: 92fd30fd98977c1af180354cedb8bb308163adf72ac38ba6639a783592060610
                                                                • Opcode Fuzzy Hash: 67d0e8df5a0e255188e8875a73c9d6621014313cc135d256e169d9f563b0a6b2
                                                                • Instruction Fuzzy Hash: DEE06D70E086188FDB54DFE5C890A8EBBF1EB85300F11A4AAC109A7254DA304985DF20
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B2E110, Relevance: .0, Instructions: 19COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6b9cb97701647c991af510164a10a4b2e2dc81cbdbda2773590cdf42d8cdfdb3
                                                                • Instruction ID: 2051caea81638d598656a271a2a3ac9a0a62bdf93e874ac75b0e5e1b077843a3
                                                                • Opcode Fuzzy Hash: 6b9cb97701647c991af510164a10a4b2e2dc81cbdbda2773590cdf42d8cdfdb3
                                                                • Instruction Fuzzy Hash: F1E01AB0D00219DFCB44EFE9D8052AEBBF5FB48300F1085AAD818A3340D7705A01CF81
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B23571, Relevance: .0, Instructions: 13COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 482f01f7e2f324d46ee9711c43df037120eebd50078b5293757ac9f1b587d172
                                                                • Instruction ID: 17ea124b2ff27944d499ef688c475908c24158fbbc14e2b44014221a9b795dd6
                                                                • Opcode Fuzzy Hash: 482f01f7e2f324d46ee9711c43df037120eebd50078b5293757ac9f1b587d172
                                                                • Instruction Fuzzy Hash: ADD0C93710024CBFDF024ED0ED0AFDA3FA6EB09361F049412FA0445092DBB29570EB96
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B23580, Relevance: .0, Instructions: 10COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d5a2b3080d95adc8674230bdcb8ad6efec67b8a131db3314c89e397386dfd780
                                                                • Instruction ID: 0863dd700bf077fce1c435c7011a491ad61a82e3b0a0f308cc9cf46dd4bc6b23
                                                                • Opcode Fuzzy Hash: d5a2b3080d95adc8674230bdcb8ad6efec67b8a131db3314c89e397386dfd780
                                                                • Instruction Fuzzy Hash: F1C0023614020DBFDF025EC1EC05EDA3F6AEB08761F009401FA19050A187B39570EBA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B28C90, Relevance: .0, Instructions: 10COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3526491774362248e702eabe485399309626e70dab42816ef8d0349009b4b1b5
                                                                • Instruction ID: ec6f1bc8521eb686efe29507098e2393fcac12b9bd3b593cfa870bb241cb5dd9
                                                                • Opcode Fuzzy Hash: 3526491774362248e702eabe485399309626e70dab42816ef8d0349009b4b1b5
                                                                • Instruction Fuzzy Hash: 5AD0C971612355CFC794DFA1C690499BBB2EF49351F1098A8D44A9B264C73ADA81CF10
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Non-executed Functions

                                                                Function 07B2E158, Relevance: .4, Instructions: 353COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a8a0c627e99c4523b74a31c1871ebfbfa1eb08c3febdc328e6aeb79df131d0dd
                                                                • Instruction ID: 3742cea5e8c5d140179e801f1a5b333c49a7a793d5e334e792dc65dfacf5e091
                                                                • Opcode Fuzzy Hash: a8a0c627e99c4523b74a31c1871ebfbfa1eb08c3febdc328e6aeb79df131d0dd
                                                                • Instruction Fuzzy Hash: 1ED1C2B1E151168FDF04CFB6C4496AEBBB2EF88314F149569D41AA7344EB34D9028B91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B25150, Relevance: .3, Instructions: 270COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0a04c347603ab2ed05e3ede12c420350f80f706f489a3b838304988c6236a7dc
                                                                • Instruction ID: c9db1a64836f5f687dbfc7f12103bff600a0c0f0b062832ee11e8485bc427963
                                                                • Opcode Fuzzy Hash: 0a04c347603ab2ed05e3ede12c420350f80f706f489a3b838304988c6236a7dc
                                                                • Instruction Fuzzy Hash: E1D11430D2175ACACB10EFA4D994A9EB371FF95240F50DB9AE14937224EF706AC4CB90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B25160, Relevance: .3, Instructions: 264COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dfa909649d6bc22bc732efc43d203af447829359cc5b6bb9fac1795f79141c16
                                                                • Instruction ID: a95710d6f7120bcce6ffdae1623e56af3c1406d211f19194907b38b34ff1bac0
                                                                • Opcode Fuzzy Hash: dfa909649d6bc22bc732efc43d203af447829359cc5b6bb9fac1795f79141c16
                                                                • Instruction Fuzzy Hash: 2CD1F430D2175ACACB10EF68D994A9EB371FF95240F50DB9AE54937224EF706AC4CB90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B2A530, Relevance: .2, Instructions: 178COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a11c34f3b048cc3d511a4a1750e3ad52f26bfb5276996bf85699447ae2570b0b
                                                                • Instruction ID: bc3a1a85f9f9abcf4d9046df661ce728fc5534a2cef44367dcdae047618b8f66
                                                                • Opcode Fuzzy Hash: a11c34f3b048cc3d511a4a1750e3ad52f26bfb5276996bf85699447ae2570b0b
                                                                • Instruction Fuzzy Hash: 5781E1B4E11219CFCB04CF99D58499EFBF1FF89250F14855AE819AB321D334AA46CF54
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B2A520, Relevance: .2, Instructions: 177COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8310db321f0feaf665a25d9004adb460af8b7011d7947a9c804dea4bc13d7e23
                                                                • Instruction ID: c3c51018b7fcce06b238478415d3750a234946a76887c2722596576279a6964c
                                                                • Opcode Fuzzy Hash: 8310db321f0feaf665a25d9004adb460af8b7011d7947a9c804dea4bc13d7e23
                                                                • Instruction Fuzzy Hash: 8971D2B4E11219CFDB44CFA9D58499EFBF2FF89250F148596D819EB221D334AA42CF50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B2B900, Relevance: .2, Instructions: 161COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5e02555a1ea498777c178e191e36d30bf89e2a830936a53e4a99a49b939dbef9
                                                                • Instruction ID: c177cca482b248934bbfee4706ad69bc6cc4361fcee065708fd2116617539ac6
                                                                • Opcode Fuzzy Hash: 5e02555a1ea498777c178e191e36d30bf89e2a830936a53e4a99a49b939dbef9
                                                                • Instruction Fuzzy Hash: 866125B0E15619DFDB04CFA9C5855DEFBF6FB89200F24946AD409B7324E7309A02CB64
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B2B8F0, Relevance: .2, Instructions: 159COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dd04515d9156b4780bba34c8cb760c8c29452f0ec7d43f6808d2a98beba22eba
                                                                • Instruction ID: 3a264a0aa91c2b074746470c771ef7a4da4ca93dec277f792ba502228de29c72
                                                                • Opcode Fuzzy Hash: dd04515d9156b4780bba34c8cb760c8c29452f0ec7d43f6808d2a98beba22eba
                                                                • Instruction Fuzzy Hash: BF6134B0E16619CFDB04CFA9C5855DEFBF6BF89200F24946AD409B7324E7309A42CB64
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B2B078, Relevance: .2, Instructions: 152COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7cd21bbb1ca52d0db3081c0f70e3dfea85023625eb00a6aa2329b808a15ed81e
                                                                • Instruction ID: c7300df3d50d346e64960dbcc07c029e085113f381f62fe1cec1d5ca2922aed7
                                                                • Opcode Fuzzy Hash: 7cd21bbb1ca52d0db3081c0f70e3dfea85023625eb00a6aa2329b808a15ed81e
                                                                • Instruction Fuzzy Hash: A36102B0E1525ACFDB04CFA9D4809AFFBB2FF49210F14855AD418A7204E730A942CFA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 05250040, Relevance: .1, Instructions: 142COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.432068573.0000000005250000.00000040.00000001.sdmp, Offset: 05250000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: af61a561187ca3e71cb0852d7306decf7a24f912f1ef4c1810fa220eed155278
                                                                • Instruction ID: 2fb0ed967772039a2a7541a11dbffa34e82d5ae90d76d3223f995d29f019ebcd
                                                                • Opcode Fuzzy Hash: af61a561187ca3e71cb0852d7306decf7a24f912f1ef4c1810fa220eed155278
                                                                • Instruction Fuzzy Hash: 8C512C75E5462A8BDB28CF6AC8447E9B7B6FFC9310F14C1AAD50DA7214EB705A818F40
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 05250006, Relevance: .1, Instructions: 135COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.432068573.0000000005250000.00000040.00000001.sdmp, Offset: 05250000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f3efae935dd786fb03e8e8610e648a8f9318f3726dccd5e2058166951d17bbe0
                                                                • Instruction ID: 06f502988d11d2a3fd937fde2352fedb531cca48aa08e05bfd3f231622cb357d
                                                                • Opcode Fuzzy Hash: f3efae935dd786fb03e8e8610e648a8f9318f3726dccd5e2058166951d17bbe0
                                                                • Instruction Fuzzy Hash: 24514C75D5565A8BDB29CF66CC44799BBB2FFC9300F15C2EAD408A7214EB705A81CF40
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B2B6B9, Relevance: .1, Instructions: 117COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0620b3a43c9a3c2451800cba4b872744548a5dac5bab85a77597149d0c44471b
                                                                • Instruction ID: 7a0ffa264b7ec285bb5052654d4f7e25ef9f4b3c0810d0ef71c6676e560d7536
                                                                • Opcode Fuzzy Hash: 0620b3a43c9a3c2451800cba4b872744548a5dac5bab85a77597149d0c44471b
                                                                • Instruction Fuzzy Hash: ED4109B4D1521ACFDB04DFAAC4815AEFBF2FF89200F24C46AC419EB254E73496429F94
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B2B6C8, Relevance: .1, Instructions: 113COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fe3c32c952ed85b5b213f94169b2fd3c26bf00d290de0ab84cd5d8526969a563
                                                                • Instruction ID: 432d0392c29a3ff386279409c55220ca56206287ab59a21b7e560d2e350d3f2f
                                                                • Opcode Fuzzy Hash: fe3c32c952ed85b5b213f94169b2fd3c26bf00d290de0ab84cd5d8526969a563
                                                                • Instruction Fuzzy Hash: 674108B4D1521ADFDB04DFEAC4415AEFBF2BF88300F24D46AC419AB214E73496429F94
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B2BB51, Relevance: .1, Instructions: 103COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a67c925760c9c73969f004178d9c93b6f755c587be8ce780f6597d6f368e5f3a
                                                                • Instruction ID: 362ab899d59b06b65646f9aebe0998bafc362cc09989a5e3aa0d3c2264db1cd9
                                                                • Opcode Fuzzy Hash: a67c925760c9c73969f004178d9c93b6f755c587be8ce780f6597d6f368e5f3a
                                                                • Instruction Fuzzy Hash: 3941EBB1E0161ADBDB44CFAAC5415DEFBF2FF88310F24C4A6D508A7358E7349A418B94
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B2BB60, Relevance: .1, Instructions: 102COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0c95b481455cbc9ec2634370c5d1b89f26dd8c5923d0fe00ef2e2bcde96e66cc
                                                                • Instruction ID: e1f5ff0ce58631311b19eb1e27d9063db5008fa5c34acdeba075bd4c1c98668b
                                                                • Opcode Fuzzy Hash: 0c95b481455cbc9ec2634370c5d1b89f26dd8c5923d0fe00ef2e2bcde96e66cc
                                                                • Instruction Fuzzy Hash: 7941DCB0E1521ADBDB44CFAAC5415DEFBF2FF88300F14C5A5D518A7314E7345A428B94
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B2434D, Relevance: .1, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d79b50d0b185c6bed9ebd1deec33e3c2d5849e5f3c2f5277f9d2619a7e89f5be
                                                                • Instruction ID: 1cfa9cdf6f425c9b3a9f8499e4587c9df306fd72487352b24654904f99530d3a
                                                                • Opcode Fuzzy Hash: d79b50d0b185c6bed9ebd1deec33e3c2d5849e5f3c2f5277f9d2619a7e89f5be
                                                                • Instruction Fuzzy Hash: D331AEB4D05219EFDB14CFA9D484AADBBF1FB49350F209169E818B7350D7309942CF54
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B24358, Relevance: .1, Instructions: 71COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 10e8ffc5443a8c46428973bfc64e27cddb44f2f428527711d36b4a7dd3aa5327
                                                                • Instruction ID: c47a48cc58ef5154292afee95b63d987ffe51211506a5337c721c091df1502f0
                                                                • Opcode Fuzzy Hash: 10e8ffc5443a8c46428973bfc64e27cddb44f2f428527711d36b4a7dd3aa5327
                                                                • Instruction Fuzzy Hash: ED31AEB4D06219EFDB14CFA9D484AEDBBF1BB49350F20916AE818B7350D7349942CF54
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B2BD18, Relevance: .1, Instructions: 70COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4f7320c29f68e60c870a5aacf4e3b82e6f3879d3a67d2ea1660d75bd7de0f410
                                                                • Instruction ID: d344e767cc75ec7124e88ff16d2501da20a7b061953d66a729831adc94eff67c
                                                                • Opcode Fuzzy Hash: 4f7320c29f68e60c870a5aacf4e3b82e6f3879d3a67d2ea1660d75bd7de0f410
                                                                • Instruction Fuzzy Hash: F221CCB1E056188FEB18CFABC94469EFBF3AFC8200F15C0BAD508A7254EB3449468F55
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B2E680, Relevance: .1, Instructions: 60COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1b6ffdcf0ac4d1019ed0f59b179202961bb0c174b5a95fa65acd146abda73b5d
                                                                • Instruction ID: 1059d647e923b8db3093fb71dacf038afa3b238b4c126845ee1638a571fcf125
                                                                • Opcode Fuzzy Hash: 1b6ffdcf0ac4d1019ed0f59b179202961bb0c174b5a95fa65acd146abda73b5d
                                                                • Instruction Fuzzy Hash: F4111D71E116299BDB18CFABD94569EFBF7ABC8200F14C07AD508B7254DB305A428F51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B2CDB0, Relevance: .1, Instructions: 60COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 12dbe287922c617b6feb23be71e897f901fec8b66f3a8f10b959581b22d209c6
                                                                • Instruction ID: b2bd372ab1049e64d6c7734d5cbbd4ea58f57bb369fdc5397ea578da00d19ed8
                                                                • Opcode Fuzzy Hash: 12dbe287922c617b6feb23be71e897f901fec8b66f3a8f10b959581b22d209c6
                                                                • Instruction Fuzzy Hash: 9B1117B1E116199BEB58CFABD9416DEFBF7EBC8300F14C06AD508A7214DB305A068B95
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B2CD9A, Relevance: .1, Instructions: 58COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 21763af45e283eaa4a49896a5ca4365173c8371561a3a8be47b003bace9711ee
                                                                • Instruction ID: ad4ad992ccc3943593c8e5ebfe67dd7ac58b449ec80a2c2f5357c3284c5e2406
                                                                • Opcode Fuzzy Hash: 21763af45e283eaa4a49896a5ca4365173c8371561a3a8be47b003bace9711ee
                                                                • Instruction Fuzzy Hash: 2C215EB1E15219DFDB49CFABC94169EBBF3AFC9200F14C06AD408E7254EB344A06CB95
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B264F8, Relevance: .1, Instructions: 56COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 15aa5432616daee443df429fbf6740e73bdf2d2a499117f33e9af321aafbf26e
                                                                • Instruction ID: ce9b7429ca8c15a871995a62d2404a58430be0b8811f364d9b759aab03f1a778
                                                                • Opcode Fuzzy Hash: 15aa5432616daee443df429fbf6740e73bdf2d2a499117f33e9af321aafbf26e
                                                                • Instruction Fuzzy Hash: 1011AAB1E116199BEB1CCFABC84469EFBF7AFC8200F04C07AD818A6258EB3445468F55
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B245A4, Relevance: .0, Instructions: 39COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 968edca072d4adef11af9f8d00093ec1278c64d9904874ce1afa764518e5cd99
                                                                • Instruction ID: 5c37615b09e21576da411309d4f4ce04f81cf57e35aa41f691fea511411d1709
                                                                • Opcode Fuzzy Hash: 968edca072d4adef11af9f8d00093ec1278c64d9904874ce1afa764518e5cd99
                                                                • Instruction Fuzzy Hash: CEF074B4D0520D9F9F04CFA9D4804EEFBF2AB9A310F21A16AE855F7310E73599118F68
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B245B0, Relevance: .0, Instructions: 34COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
                                                                • Instruction ID: 40abb0249c285f38daa9d0211a0defcbdac0c122e0c83ebab76b26a3c72d637c
                                                                • Opcode Fuzzy Hash: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
                                                                • Instruction Fuzzy Hash: 10F042B5D1520C9F8F04DFA9D5418EEFBF2BB5A310F10A16AE814B3310E73599518FA8
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B29E10, Relevance: 6.4, Strings: 5, Instructions: 111COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID: SGtK$_Ac$j6I$j6I$j6I
                                                                • API String ID: 0-2804980140
                                                                • Opcode ID: 183bc4664792e6f1610699d489a5e69b8ad8dae86457db98b1b30ab52c5149d6
                                                                • Instruction ID: 99d4e2b33a9fcf2af6adb2b79a6ee91b6e9927a91cb5aeea2aef41c019aa90ea
                                                                • Opcode Fuzzy Hash: 183bc4664792e6f1610699d489a5e69b8ad8dae86457db98b1b30ab52c5149d6
                                                                • Instruction Fuzzy Hash: F34125B4E15219DFDB44CFA9D4809DEFBF1FB89220F0594AAD818B7310C730AA418FA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07B29E20, Relevance: 6.4, Strings: 5, Instructions: 110COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.442735140.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID: SGtK$_Ac$j6I$j6I$j6I
                                                                • API String ID: 0-2804980140
                                                                • Opcode ID: 03b47edfa470156bac7d887db87ce848bf0510a94f6a719ea1e1f4d6120b6422
                                                                • Instruction ID: d0380c3e9d522fa06bd262ade8ed1f75efe49098951bf1c4b0ddda9984dcddbc
                                                                • Opcode Fuzzy Hash: 03b47edfa470156bac7d887db87ce848bf0510a94f6a719ea1e1f4d6120b6422
                                                                • Instruction Fuzzy Hash: E04103B4E15219DFDB44CF99C5809EEFBB5FB89220F04946AD819B7310D334AA428FA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Analysis Process: G9xXUq625O.exe PID: 7144 Parent PID: 6320 G9xXUq625O.exeCOMMON

                                                                Executed Functions

                                                                Function 01526B1F, Relevance: 6.1, APIs: 4, Instructions: 137threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetCurrentProcess.KERNEL32 ref: 01526BB0
                                                                • GetCurrentThread.KERNEL32 ref: 01526BED
                                                                • GetCurrentProcess.KERNEL32 ref: 01526C2A
                                                                • GetCurrentThreadId.KERNEL32 ref: 01526C83
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.600816569.0000000001520000.00000040.00000001.sdmp, Offset: 01520000, based on PE: false
                                                                Similarity
                                                                • API ID: Current$ProcessThread
                                                                • String ID:
                                                                • API String ID: 2063062207-0
                                                                • Opcode ID: bfe0c1a80af4cd13b9f2257321fd8628c97c01c4b7c9b77d9775d7642bafe75d
                                                                • Instruction ID: 89c091b64909ec4d558b60c4f17b825f48ff6e3e724b0ce62cb2427aa1115486
                                                                • Opcode Fuzzy Hash: bfe0c1a80af4cd13b9f2257321fd8628c97c01c4b7c9b77d9775d7642bafe75d
                                                                • Instruction Fuzzy Hash: C15177B09053898FDB14DFA9C9487AEBBF0FF4A314F24849AE459A73A1C7345844CF61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01526B50, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetCurrentProcess.KERNEL32 ref: 01526BB0
                                                                • GetCurrentThread.KERNEL32 ref: 01526BED
                                                                • GetCurrentProcess.KERNEL32 ref: 01526C2A
                                                                • GetCurrentThreadId.KERNEL32 ref: 01526C83
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.600816569.0000000001520000.00000040.00000001.sdmp, Offset: 01520000, based on PE: false
                                                                Similarity
                                                                • API ID: Current$ProcessThread
                                                                • String ID:
                                                                • API String ID: 2063062207-0
                                                                • Opcode ID: 7a1f3976fbef5664a8b5497347dff48e2efe78b32618497c700ecb80327b0700
                                                                • Instruction ID: 6e2f600389d6ad895ee9fbe987f34e2226001a197c2fa68b2c8e15385f428d91
                                                                • Opcode Fuzzy Hash: 7a1f3976fbef5664a8b5497347dff48e2efe78b32618497c700ecb80327b0700
                                                                • Instruction Fuzzy Hash: DE5143B19006498FDB14DFAAC948BAEBBF0FF89314F208459E519B7390DB746884CF61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01525184, Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 015252A2
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.600816569.0000000001520000.00000040.00000001.sdmp, Offset: 01520000, based on PE: false
                                                                Similarity
                                                                • API ID: CreateWindow
                                                                • String ID:
                                                                • API String ID: 716092398-0
                                                                • Opcode ID: e57c27b61b1a7aa10ada2ff67e726bd90cc03eaa7511cb794c57aee196353197
                                                                • Instruction ID: 926edfc431530ad27eb9484b2274a3f7188b2d6c705431a3302301cb8e0e2fa2
                                                                • Opcode Fuzzy Hash: e57c27b61b1a7aa10ada2ff67e726bd90cc03eaa7511cb794c57aee196353197
                                                                • Instruction Fuzzy Hash: 1B51C1B1D103199FDF14CFA9C884ADEBFB5BF99314F24852AE819AB250D770A845CF90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01525190, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 015252A2
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.600816569.0000000001520000.00000040.00000001.sdmp, Offset: 01520000, based on PE: false
                                                                Similarity
                                                                • API ID: CreateWindow
                                                                • String ID:
                                                                • API String ID: 716092398-0
                                                                • Opcode ID: e54da11b45dc50de0eab475dc39dd6b3f88b5dfebd84a031ae13f2aa4d3ead51
                                                                • Instruction ID: 0f2cacff856ae4df9ea70f55078ebeefaf4853d8fd38565eb4593d04b5999d9c
                                                                • Opcode Fuzzy Hash: e54da11b45dc50de0eab475dc39dd6b3f88b5dfebd84a031ae13f2aa4d3ead51
                                                                • Instruction Fuzzy Hash: 2C41D0B1D103199FDF14CF99C884ADEBFB5BF89314F24852AE819AB250D770A845CF90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01526964, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 01527CF9
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.600816569.0000000001520000.00000040.00000001.sdmp, Offset: 01520000, based on PE: false
                                                                Similarity
                                                                • API ID: CallProcWindow
                                                                • String ID:
                                                                • API String ID: 2714655100-0
                                                                • Opcode ID: 04e9a596b9dbed2d97520ed58ca44e78921ff237e5be916addd0c28abbf7431b
                                                                • Instruction ID: a692a305005c2449f8e554fa0eaaa494d3fe42077ea7859ce9292a8b5236a25d
                                                                • Opcode Fuzzy Hash: 04e9a596b9dbed2d97520ed58ca44e78921ff237e5be916addd0c28abbf7431b
                                                                • Instruction Fuzzy Hash: 16415AB69002558FCB14CF99C888AAABBF5FF9D314F248859E519AB351C334A841CFA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01526D72, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01526DFF
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.600816569.0000000001520000.00000040.00000001.sdmp, Offset: 01520000, based on PE: false
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: 66244188fda7a9adfa1cb9e2dbd655ed0014c1f9be0609201512b8c90c8c8cf8
                                                                • Instruction ID: 7a3426c72ea669b9e80893a1680fdcf43242e06403288bbb2c9e1fffe5e7f3df
                                                                • Opcode Fuzzy Hash: 66244188fda7a9adfa1cb9e2dbd655ed0014c1f9be0609201512b8c90c8c8cf8
                                                                • Instruction Fuzzy Hash: F721E0B5D002199FDB10CFA9D884AEEBBF8FB49324F14841AE915B7350C374A955CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01526D78, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01526DFF
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.600816569.0000000001520000.00000040.00000001.sdmp, Offset: 01520000, based on PE: false
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: 92969402474182c9336cb219cfe8aae6a29fe732a3e0afbd2c98b14c47469866
                                                                • Instruction ID: 7224ca84b8b0984ae47f2de6b79dbaa3ce30702ae28d4c9d210a9a125ab5738b
                                                                • Opcode Fuzzy Hash: 92969402474182c9336cb219cfe8aae6a29fe732a3e0afbd2c98b14c47469866
                                                                • Instruction Fuzzy Hash: 7121C2B59002599FDB10CFAAD884AEEBBF8FB48324F14841AE914B7350D374A954CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0152C3C8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RtlEncodePointer.NTDLL(00000000), ref: 0152C442
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.600816569.0000000001520000.00000040.00000001.sdmp, Offset: 01520000, based on PE: false
                                                                Similarity
                                                                • API ID: EncodePointer
                                                                • String ID:
                                                                • API String ID: 2118026453-0
                                                                • Opcode ID: ce6e894f6af14e27445c109a270d6dd7361b41d1aab54238f29ca746adb1fbe1
                                                                • Instruction ID: 431520263327939157f51fc88e48c1f0901b0cc63d469271fe8531e288e3f755
                                                                • Opcode Fuzzy Hash: ce6e894f6af14e27445c109a270d6dd7361b41d1aab54238f29ca746adb1fbe1
                                                                • Instruction Fuzzy Hash: 4A119A719013058FCB20DFA9C9087AFBBF4FB49324F20842AD409A7741D7786944CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Non-executed Functions