Loading ...

Play interactive tourEdit tour

Analysis Report Minutes of meeting June 9th.exe

Overview

General Information

Sample Name:Minutes of meeting June 9th.exe
Analysis ID:433114
MD5:ee4b5d2d220b8b925a84755e5ad9fa06
SHA1:4bfa8d3abf280cca85905ce083fe4446ac1d4862
SHA256:31e702dd0fc8ae15e8ca4991263c135709a1d64cda293a4896f89ed3b3699b77
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Minutes of meeting June 9th.exe (PID: 7048 cmdline: 'C:\Users\user\Desktop\Minutes of meeting June 9th.exe' MD5: EE4B5D2D220B8B925A84755E5AD9FA06)
    • schtasks.exe (PID: 6484 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RfuYgTevtBVukb' /XML 'C:\Users\user\AppData\Local\Temp\tmp1C49.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "jaime.navarro@crigab.cljaimecrigabmail.crigab.cl"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.909165017.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000002.909165017.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000005.00000000.668170941.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000005.00000000.668170941.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.Minutes of meeting June 9th.exe.3891e68.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.2.Minutes of meeting June 9th.exe.3891e68.1.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                5.0.Minutes of meeting June 9th.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  5.0.Minutes of meeting June 9th.exe.400000.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    1.2.Minutes of meeting June 9th.exe.3891e68.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmpMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "jaime.navarro@crigab.cljaimecrigabmail.crigab.cl"}
                      Source: 5.0.Minutes of meeting June 9th.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.2.Minutes of meeting June 9th.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: Minutes of meeting June 9th.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Minutes of meeting June 9th.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\KcyqvrOAxz\src\obj\Debug\TopLevelAssemblyTypeResolver.pdb source: Minutes of meeting June 9th.exe
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_078BF580
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_078BFE60
                      Source: global trafficTCP traffic: 192.168.2.4:49777 -> 173.249.158.24:587
                      Source: Joe Sandbox ViewASN Name: NEXCESS-NETUS NEXCESS-NETUS
                      Source: global trafficTCP traffic: 192.168.2.4:49777 -> 173.249.158.24:587
                      Source: unknownDNS traffic detected: queries for: mail.crigab.cl
                      Source: Minutes of meeting June 9th.exe, 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Minutes of meeting June 9th.exe, 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Minutes of meeting June 9th.exe, 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmpString found in binary or memory: http://HXowME.com
                      Source: Minutes of meeting June 9th.exe, 00000005.00000002.911271363.000000000340F000.00000004.00000001.sdmpString found in binary or memory: http://crigab.cl
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: Minutes of meeting June 9th.exe, 00000005.00000002.911271363.000000000340F000.00000004.00000001.sdmpString found in binary or memory: http://mail.crigab.cl
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671470574.00000000027E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Minutes of meeting June 9th.exe, 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmp, Minutes of meeting June 9th.exe, 00000005.00000002.911253197.0000000003409000.00000004.00000001.sdmpString found in binary or memory: http://wB46twoUXvvh.net
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.653038111.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html=
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.653038111.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlsA
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.653986511.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp, Minutes of meeting June 9th.exe, 00000001.00000003.654058805.0000000005DFB000.00000004.00000001.sdmp, Minutes of meeting June 9th.exe, 00000001.00000003.654314324.0000000005DFB000.00000004.00000001.sdmp, Minutes of meeting June 9th.exe, 00000001.00000003.654630636.0000000005DFB000.00000004.00000001.sdmp, Minutes of meeting June 9th.exe, 00000001.00000003.654283240.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.653956331.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.653986511.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersp
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.654498129.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.654630636.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFV
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.654630636.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comT.TTF~
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.654498129.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma2
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.668719407.0000000005DF0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comed
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.654058805.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgreta2
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.654058805.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comic
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comico
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.654630636.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comiond
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlicF
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comoitug
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.653956331.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comt$
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comu
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.654498129.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comuef
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.651787789.0000000005DFE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnU
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.650864868.0000000005E03000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnesy
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Minutes of meeting June 9th.exeString found in binary or memory: http://www.google.com
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.653261992.0000000005DFB000.00000004.00000001.sdmp, Minutes of meeting June 9th.exe, 00000001.00000003.652457687.0000000005DFC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.652883376.0000000005DFC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.652883376.0000000005DFC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/2
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.653099782.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/;
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.652457687.0000000005DFC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Hb
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.652457687.0000000005DFC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/V
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.652283694.0000000005DF4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/W
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.653261992.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.652701098.0000000005DFC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/-
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.652701098.0000000005DFC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/V
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.653099782.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/~
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.653910343.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.653822753.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deR
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.653822753.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deos
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: Minutes of meeting June 9th.exeString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Minutes of meeting June 9th.exe, 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.670227794.0000000000B2B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 5.0.Minutes of meeting June 9th.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b803333A8u002dEFF5u002d4E80u002d99CEu002d4C157E275DB7u007d/F3C892EFu002d20E2u002d40F9u002dA4B1u002d80E514D3763B.csLarge array initialization: .cctor: array initializer size 11932
                      Source: 5.2.Minutes of meeting June 9th.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b803333A8u002dEFF5u002d4E80u002d99CEu002d4C157E275DB7u007d/F3C892EFu002d20E2u002d40F9u002dA4B1u002d80E514D3763B.csLarge array initialization: .cctor: array initializer size 11932
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_00D9C2B01_2_00D9C2B0
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_00D999A01_2_00D999A0
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B93B81_2_078B93B8
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B9B401_2_078B9B40
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078BA1401_2_078BA140
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B00401_2_078B0040
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B6F251_2_078B6F25
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B6F501_2_078B6F50
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B4D011_2_078B4D01
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078BA5301_2_078BA530
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B0BA81_2_078B0BA8
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B0BA01_2_078B0BA0
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B43B81_2_078B43B8
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B43B01_2_078B43B0
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B43681_2_078B4368
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B51E11_2_078B51E1
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B68911_2_078B6891
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B68A01_2_078B68A0
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B003F1_2_078B003F
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AFB5811_2_07AFB581
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AFBF291_2_07AFBF29
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AFAE081_2_07AFAE08
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AF7CB01_2_07AF7CB0
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AFE7A01_2_07AFE7A0
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AF77001_2_07AF7700
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AF76F11_2_07AF76F1
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AF02871_2_07AF0287
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AF02901_2_07AF0290
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AFF2F81_2_07AFF2F8
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AFA1D71_2_07AFA1D7
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AF00061_2_07AF0006
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AF00401_2_07AF0040
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AFAE031_2_07AFAE03
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AFEE781_2_07AFEE78
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AF7CAF1_2_07AF7CAF
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AFDC181_2_07AFDC18
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AFB9B81_2_07AFB9B8
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07B032901_2_07B03290
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07B059C81_2_07B059C8
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07B060E01_2_07B060E0
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07B0B9581_2_07B0B958
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07B0C8A01_2_07B0C8A0
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_002520501_2_00252050
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 5_2_004022965_2_00402296
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 5_2_010E3D205_2_010E3D20
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 5_2_010E9BA05_2_010E9BA0
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 5_2_010EF2405_2_010EF240
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 5_2_010EAD585_2_010EAD58
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 5_2_010EACA95_2_010EACA9
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 5_2_010ED0A05_2_010ED0A0
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 5_2_011B08E85_2_011B08E8
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 5_2_011B2B845_2_011B2B84
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 5_2_011B5FB05_2_011B5FB0
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 5_2_011B82395_2_011B8239
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 5_2_011B87185_2_011B8718
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 5_2_009620505_2_00962050
                      Source: Minutes of meeting June 9th.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: RfuYgTevtBVukb.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.662013488.0000000005B55000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTopLevelAssemblyTypeResolver.exe6 vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.681736034.000000000D8C0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.681736034.000000000D8C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.678533661.0000000007680000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.670227794.0000000000B2B000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.681406474.0000000007C80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKygo.dll* vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671900306.00000000037E1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamejJgkoYsZmrwzEQxTTIcpKLqDdgl.exe4 vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.681584092.000000000D7D0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.681334375.0000000007BF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exeBinary or memory string: OriginalFilename vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exe, 00000005.00000002.909165017.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamejJgkoYsZmrwzEQxTTIcpKLqDdgl.exe4 vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exe, 00000005.00000000.667890199.0000000000AB6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTopLevelAssemblyTypeResolver.exe6 vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exe, 00000005.00000002.909841404.00000000010D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exe, 00000005.00000002.910078068.000000000129A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exe, 00000005.00000002.909466399.0000000000EF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exe, 00000005.00000002.909867356.00000000010F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exeBinary or memory string: OriginalFilenameTopLevelAssemblyTypeResolver.exe6 vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: 5.0.Minutes of meeting June 9th.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.Minutes of meeting June 9th.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.2.Minutes of meeting June 9th.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.2.Minutes of meeting June 9th.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/4@2/1
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeFile created: C:\Users\user\AppData\Roaming\RfuYgTevtBVukb.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5816:120:WilError_01
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeMutant created: \Sessions\1\BaseNamedObjects\qIhLjPLhpIZOsEXARyaaScPRQHt
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeFile created: C:\Users\user\AppData\Local\Temp\tmp1C49.tmpJump to behavior
                      Source: Minutes of meeting June 9th.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeFile read: C:\Users\user\Desktop\Minutes of meeting June 9th.exe:Zone.IdentifierJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Minutes of meeting June 9th.exe 'C:\Users\user\Desktop\Minutes of meeting June 9th.exe'
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RfuYgTevtBVukb' /XML 'C:\Users\user\AppData\Local\Temp\tmp1C49.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess created: C:\Users\user\Desktop\Minutes of meeting June 9th.exe C:\Users\user\Desktop\Minutes of meeting June 9th.exe
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RfuYgTevtBVukb' /XML 'C:\Users\user\AppData\Local\Temp\tmp1C49.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess created: C:\Users\user\Desktop\Minutes of meeting June 9th.exe C:\Users\user\Desktop\Minutes of meeting June 9th.exeJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Minutes of meeting June 9th.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Minutes of meeting June 9th.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: Minutes of meeting June 9th.exeStatic file information: File size 1552896 > 1048576
                      Source: Minutes of meeting June 9th.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x152a00
                      Source: Minutes of meeting June 9th.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Minutes of meeting June 9th.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\KcyqvrOAxz\src\obj\Debug\TopLevelAssemblyTypeResolver.pdb source: Minutes of meeting June 9th.exe
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_002573C3 push 0000006Fh; ret 1_2_002573CE
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B1D16 push es; retf 1_2_078B1D17
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B316D pushfd ; retf 0007h1_2_078B31C9
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AF6659 push ds; retf 0007h1_2_07AF665A
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AF5E01 push ss; retf 0007h1_2_07AF5E02
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AF5E47 push ss; retf 0007h1_2_07AF5E4A
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AF5DC0 push ss; retf 0007h1_2_07AF5DC2
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07B0AA30 push dword ptr [eax+edx-75h]; iretd 1_2_07B0AAA2
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 5_2_009673C3 push 0000006Fh; ret 5_2_009673CE
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.39720072133
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.39720072133
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeFile created: C:\Users\user\AppData\Roaming\RfuYgTevtBVukb.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RfuYgTevtBVukb' /XML 'C:\Users\user\AppData\Local\Temp\tmp1C49.tmp'
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Minutes of meeting June 9th.exe PID: 7048, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 240000Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 239844Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 239719Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 239610Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 239485Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 239344Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 239235Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 239125Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 239016Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 238891Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 238750Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 238641Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 238453Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 238344Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 238219Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 238110Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 237953Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 237828Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 237719Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 237610Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 237453Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 237344Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 237235Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 237094Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 236985Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 236860Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 236735Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 236594Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 236469Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 236360Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 236203Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 236078Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 235969Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 235860Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 235735Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 235610Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 235453Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 235344Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 235235Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 235094Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 234985Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 234875Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 234766Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 234594Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 234485Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 234344Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 234235Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 234094Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 233953Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 233844Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 233719Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 233610Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 233500Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 233391Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 233282Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 233157Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 233047Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 232938Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeWindow / User API: threadDelayed 1001Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeWindow / User API: threadDelayed 7186Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeWindow / User API: threadDelayed 856Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeWindow / User API: threadDelayed 8958Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -240000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -239844s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -239719s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -239610s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -239485s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -239344s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -239235s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -239125s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -239016s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -238891s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -238750s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -238641s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -238453s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -238344s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -238219s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -238110s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -237953s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -237828s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -237719s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -237610s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -237453s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -237344s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -237235s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -237094s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -236985s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -236860s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -236735s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -236594s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -236469s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -236360s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -236203s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -236078s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -235969s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -235860s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -235735s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -235610s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -235453s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -235344s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -235235s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -235094s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -234985s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -234875s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -234766s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7052Thread sleep time: -101632s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -234594s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -234485s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -234344s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -234235s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -234094s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -233953s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -233844s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -233719s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -233610s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -233500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -233391s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -233282s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -233157s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -233047s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128Thread sleep time: -232938s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 6372Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 6580Thread sleep count: 856 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 6580Thread sleep count: 8958 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 6372Thread sleep count: 43 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 240000Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 239844Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 239719Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 239610Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 239485Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 239344Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 239235Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 239125Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 239016Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 238891Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 238750Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 238641Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 238453Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 238344Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 238219Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 238110Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 237953Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 237828Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 237719Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 237610Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 237453Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 237344Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 237235Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 237094Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 236985Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 236860Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 236735Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 236594Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 236469Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 236360Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 236203Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 236078Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 235969Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 235860Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 235735Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 235610Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 235453Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 235344Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 235235Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 235094Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 234985Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 234875Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 234766Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 101632Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 234594Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 234485Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 234344Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 234235Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 234094Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 233953Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 233844Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 233719Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 233610Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 233500Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 233391Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 233282Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 233157Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 233047Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 232938Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: Minutes of meeting June 9th.exe, 00000005.00000002.910178371.0000000001308000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 5_2_010ECCF0 LdrInitializeThunk,5_2_010ECCF0
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeMemory written: C:\Users\user\Desktop\Minutes of meeting June 9th.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RfuYgTevtBVukb' /XML 'C:\Users\user\AppData\Local\Temp\tmp1C49.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess created: C:\Users\user\Desktop\Minutes of meeting June 9th.exe C:\Users\user\Desktop\Minutes of meeting June 9th.exeJump to behavior
                      Source: Minutes of meeting June 9th.exe, 00000005.00000002.910411853.00000000018F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: Minutes of meeting June 9th.exe, 00000005.00000002.910411853.00000000018F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Minutes of meeting June 9th.exe, 00000005.00000002.910411853.00000000018F0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: Minutes of meeting June 9th.exe, 00000005.00000002.910411853.00000000018F0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Users\user\Desktop\Minutes of meeting June 9th.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Users\user\Desktop\Minutes of meeting June 9th.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000005.00000002.909165017.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.668170941.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.671900306.00000000037E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 1.2.Minutes of meeting June 9th.exe.3891e68.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.Minutes of meeting June 9th.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.Minutes of meeting June 9th.exe.3891e68.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Minutes of meeting June 9th.exe.400000.0.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000005.00000002.909165017.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.668170941.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.671900306.00000000037E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Minutes of meeting June 9th.exe PID: 5832, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Minutes of meeting June 9th.exe PID: 7048, type: MEMORY
                      Source: Yara matchFile source: 1.2.Minutes of meeting June 9th.exe.3891e68.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.Minutes of meeting June 9th.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.Minutes of meeting June 9th.exe.3891e68.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Minutes of meeting June 9th.exe.400000.0.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Yara matchFile source: 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Minutes of meeting June 9th.exe PID: 5832, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000005.00000002.909165017.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.668170941.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.671900306.00000000037E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 1.2.Minutes of meeting June 9th.exe.3891e68.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.Minutes of meeting June 9th.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.Minutes of meeting June 9th.exe.3891e68.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Minutes of meeting June 9th.exe.400000.0.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000005.00000002.909165017.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.668170941.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.671900306.00000000037E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Minutes of meeting June 9th.exe PID: 5832, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Minutes of meeting June 9th.exe PID: 7048, type: MEMORY
                      Source: Yara matchFile source: 1.2.Minutes of meeting June 9th.exe.3891e68.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.Minutes of meeting June 9th.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.Minutes of meeting June 9th.exe.3891e68.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Minutes of meeting June 9th.exe.400000.0.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection112Disable or Modify Tools1OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Deobfuscate/Decode Files or Information1Input Capture1System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information3Credentials in Registry1Query Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing2NTDSSecurity Software Discovery221Distributed Component Object ModelInput Capture1Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion141Cached Domain CredentialsVirtualization/Sandbox Evasion141VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      No Antivirus matches

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\RfuYgTevtBVukb.exe9%ReversingLabsByteCode-MSIL.Trojan.Wacatac

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      5.0.Minutes of meeting June 9th.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File
                      5.2.Minutes of meeting June 9th.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.fontbureau.comFV0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://wB46twoUXvvh.net0%Avira URL Cloudsafe
                      http://www.fontbureau.comuef0%Avira URL Cloudsafe
                      http://www.fontbureau.comgreta20%Avira URL Cloudsafe
                      http://www.founder.com.cn/cnU0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Hb0%Avira URL Cloudsafe
                      http://www.ascendercorp.com/typedesigners.html=0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/~0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/~0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/~0%URL Reputationsafe
                      http://www.urwpp.deos0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.fontbureau.comt$0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/20%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/20%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/20%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/-0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/-0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/-0%URL Reputationsafe
                      http://www.ascendercorp.com/typedesigners.htmlsA0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.fontbureau.comed0%Avira URL Cloudsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.fontbureau.comoitug0%Avira URL Cloudsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/V0%Avira URL Cloudsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.fontbureau.comT.TTF~0%Avira URL Cloudsafe
                      http://www.fontbureau.comlicF0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/W0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/W0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/W0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://HXowME.com0%Avira URL Cloudsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/V0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/V0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/V0%URL Reputationsafe
                      http://www.fontbureau.comico0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.fontbureau.comic0%Avira URL Cloudsafe
                      http://www.urwpp.deR0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://mail.crigab.cl0%Avira URL Cloudsafe
                      http://www.fontbureau.come.com0%URL Reputationsafe
                      http://www.fontbureau.come.com0%URL Reputationsafe
                      http://www.fontbureau.come.com0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      crigab.cl
                      173.249.158.24
                      truetrue
                        unknown
                        mail.crigab.cl
                        unknown
                        unknowntrue
                          unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://127.0.0.1:HTTP/1.1Minutes of meeting June 9th.exe, 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          low
                          http://www.fontbureau.com/designersGMinutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpfalse
                            high
                            http://www.fontbureau.comFVMinutes of meeting June 9th.exe, 00000001.00000003.654630636.0000000005DFB000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.fontbureau.com/designers/?Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpfalse
                              high
                              http://www.founder.com.cn/cn/bTheMinutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://wB46twoUXvvh.netMinutes of meeting June 9th.exe, 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmp, Minutes of meeting June 9th.exe, 00000005.00000002.911253197.0000000003409000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.fontbureau.comuefMinutes of meeting June 9th.exe, 00000001.00000003.654498129.0000000005DFB000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.fontbureau.com/designers?Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpfalse
                                high
                                http://www.fontbureau.comgreta2Minutes of meeting June 9th.exe, 00000001.00000003.654058805.0000000005DFB000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.founder.com.cn/cnUMinutes of meeting June 9th.exe, 00000001.00000003.651787789.0000000005DFE000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.tiro.comMinutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.com/designersMinutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp, Minutes of meeting June 9th.exe, 00000001.00000003.654058805.0000000005DFB000.00000004.00000001.sdmp, Minutes of meeting June 9th.exe, 00000001.00000003.654314324.0000000005DFB000.00000004.00000001.sdmp, Minutes of meeting June 9th.exe, 00000001.00000003.654630636.0000000005DFB000.00000004.00000001.sdmp, Minutes of meeting June 9th.exe, 00000001.00000003.654283240.0000000005DFB000.00000004.00000001.sdmpfalse
                                  high
                                  http://www.goodfont.co.krMinutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.jiyu-kobo.co.jp/HbMinutes of meeting June 9th.exe, 00000001.00000003.652457687.0000000005DFC000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.ascendercorp.com/typedesigners.html=Minutes of meeting June 9th.exe, 00000001.00000003.653038111.0000000005DFB000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssMinutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpfalse
                                    high
                                    http://www.jiyu-kobo.co.jp/~Minutes of meeting June 9th.exe, 00000001.00000003.653099782.0000000005DFB000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.urwpp.deosMinutes of meeting June 9th.exe, 00000001.00000003.653822753.0000000005DFB000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.sajatypeworks.comMinutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.typography.netDMinutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.founder.com.cn/cn/cTheMinutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmMinutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://fontfabrik.comMinutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.fontbureau.comt$Minutes of meeting June 9th.exe, 00000001.00000003.653956331.0000000005DFB000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    low
                                    http://www.jiyu-kobo.co.jp/2Minutes of meeting June 9th.exe, 00000001.00000003.652883376.0000000005DFC000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.jiyu-kobo.co.jp/-Minutes of meeting June 9th.exe, 00000001.00000003.652883376.0000000005DFC000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.ascendercorp.com/typedesigners.htmlsAMinutes of meeting June 9th.exe, 00000001.00000003.653038111.0000000005DFB000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.fontbureau.com/Minutes of meeting June 9th.exe, 00000001.00000003.653986511.0000000005DFB000.00000004.00000001.sdmpfalse
                                      high
                                      http://www.galapagosdesign.com/DPleaseMinutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.fontbureau.comedMinutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.fonts.comMinutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpfalse
                                        high
                                        http://www.sandoll.co.krMinutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.fontbureau.comoitugMinutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.urwpp.deDPleaseMinutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.urwpp.deMinutes of meeting June 9th.exe, 00000001.00000003.653910343.0000000005DFB000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.zhongyicts.com.cnMinutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.jiyu-kobo.co.jp/jp/VMinutes of meeting June 9th.exe, 00000001.00000003.652701098.0000000005DFC000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMinutes of meeting June 9th.exe, 00000001.00000002.671470574.00000000027E1000.00000004.00000001.sdmpfalse
                                          high
                                          http://www.fontbureau.com/designerspMinutes of meeting June 9th.exe, 00000001.00000003.653986511.0000000005DFB000.00000004.00000001.sdmpfalse
                                            high
                                            http://www.sakkal.comMinutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipMinutes of meeting June 9th.exefalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            http://www.fontbureau.comT.TTF~Minutes of meeting June 9th.exe, 00000001.00000003.654630636.0000000005DFB000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            low
                                            http://www.fontbureau.comlicFMinutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.apache.org/licenses/LICENSE-2.0Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpfalse
                                              high
                                              http://www.fontbureau.comMinutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmpfalse
                                                high
                                                http://www.jiyu-kobo.co.jp/WMinutes of meeting June 9th.exe, 00000001.00000003.652283694.0000000005DF4000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                http://DynDns.comDynDNSMinutes of meeting June 9th.exe, 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                http://HXowME.comMinutes of meeting June 9th.exe, 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.fontbureau.comFMinutes of meeting June 9th.exe, 00000001.00000003.654498129.0000000005DFB000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                http://www.jiyu-kobo.co.jp/VMinutes of meeting June 9th.exe, 00000001.00000003.652457687.0000000005DFC000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                http://www.fontbureau.comicoMinutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haMinutes of meeting June 9th.exe, 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                http://www.fontbureau.comicMinutes of meeting June 9th.exe, 00000001.00000003.654058805.0000000005DFB000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.urwpp.deRMinutes of meeting June 9th.exe, 00000001.00000003.653822753.0000000005DFB000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.jiyu-kobo.co.jp/jp/Minutes of meeting June 9th.exe, 00000001.00000003.653261992.0000000005DFB000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                http://mail.crigab.clMinutes of meeting June 9th.exe, 00000005.00000002.911271363.000000000340F000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.fontbureau.come.comMinutes of meeting June 9th.exe, 00000001.00000003.668719407.0000000005DF0000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                http://www.carterandcone.comlMinutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                http://www.jiyu-kobo.co.jp/;Minutes of meeting June 9th.exe, 00000001.00000003.653099782.0000000005DFB000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                http://www.fontbureau.coma2Minutes of meeting June 9th.exe, 00000001.00000003.654498129.0000000005DFB000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.fontbureau.com/designers/cabarga.htmlNMinutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpfalse
                                                  high
                                                  http://www.fontbureau.comiondMinutes of meeting June 9th.exe, 00000001.00000003.654630636.0000000005DFB000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.founder.com.cn/cnMinutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.fontbureau.com/designers/frere-user.htmlMinutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpfalse
                                                    high
                                                    http://www.jiyu-kobo.co.jp/Minutes of meeting June 9th.exe, 00000001.00000003.653261992.0000000005DFB000.00000004.00000001.sdmp, Minutes of meeting June 9th.exe, 00000001.00000003.652457687.0000000005DFC000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.fontbureau.comoMinutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.jiyu-kobo.co.jp/jp/-Minutes of meeting June 9th.exe, 00000001.00000003.652701098.0000000005DFC000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.fontbureau.com/designers8Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpfalse
                                                      high
                                                      http://www.fontbureau.comuMinutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      http://www.fontbureau.com/designers/Minutes of meeting June 9th.exe, 00000001.00000003.653956331.0000000005DFB000.00000004.00000001.sdmpfalse
                                                        high
                                                        http://crigab.clMinutes of meeting June 9th.exe, 00000005.00000002.911271363.000000000340F000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        http://www.founder.com.cn/cnesyMinutes of meeting June 9th.exe, 00000001.00000003.650864868.0000000005E03000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown

                                                        Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        173.249.158.24
                                                        crigab.clUnited States
                                                        36444NEXCESS-NETUStrue

                                                        General Information

                                                        Joe Sandbox Version:32.0.0 Black Diamond
                                                        Analysis ID:433114
                                                        Start date:11.06.2021
                                                        Start time:10:33:15
                                                        Joe Sandbox Product:CloudBasic
                                                        Overall analysis duration:0h 8m 47s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Sample file name:Minutes of meeting June 9th.exe
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                        Number of analysed new started processes analysed:17
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • HDC enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Detection:MAL
                                                        Classification:mal100.troj.spyw.evad.winEXE@6/4@2/1
                                                        EGA Information:Failed
                                                        HDC Information:
                                                        • Successful, ratio: 0.3% (good quality ratio 0.2%)
                                                        • Quality average: 44.3%
                                                        • Quality standard deviation: 30.1%
                                                        HCA Information:
                                                        • Successful, ratio: 91%
                                                        • Number of executed functions: 87
                                                        • Number of non-executed functions: 31
                                                        Cookbook Comments:
                                                        • Adjust boot time
                                                        • Enable AMSI
                                                        • Found application associated with file extension: .exe
                                                        Warnings:
                                                        Show All
                                                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                        • Excluded IPs from analysis (whitelisted): 52.147.198.201, 52.113.196.254, 13.107.3.254, 13.107.246.254, 104.43.139.144, 104.43.193.48, 168.61.161.212, 20.82.210.154, 20.54.104.15, 20.54.26.129, 2.20.142.209, 2.20.142.210, 20.82.209.183, 92.122.213.194, 92.122.213.247
                                                        • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, s-ring.msedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, teams-9999.teams-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, s-ring.s-9999.s-msedge.net, t-ring.msedge.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, t-9999.t-msedge.net, s-9999.s-msedge.net, blobcollector.events.data.trafficmanager.net, teams-ring.teams-9999.teams-msedge.net, teams-ring.msedge.net, t-ring.t-9999.t-msedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        10:34:02API Interceptor759x Sleep call for process: Minutes of meeting June 9th.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        No context

                                                        Domains

                                                        No context

                                                        ASN

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        NEXCESS-NETUSMiral-Purushotham.verra.htmGet hashmaliciousBrowse
                                                        • 173.249.159.98
                                                        BL Draft copy.exeGet hashmaliciousBrowse
                                                        • 67.20.61.90
                                                        RFQ Order - Mediform S.A-pdf.exeGet hashmaliciousBrowse
                                                        • 209.126.18.3
                                                        https://joom.ag/yGUCGet hashmaliciousBrowse
                                                        • 67.20.61.14
                                                        https://saveunbornlife.org/wp-includes/random_compat/fireweb/login.html#info@americasleading.comGet hashmaliciousBrowse
                                                        • 209.87.159.167
                                                        Claim-2020190722-10092020.xlsGet hashmaliciousBrowse
                                                        • 8.29.130.206
                                                        Claim-2020190722-10092020.xlsGet hashmaliciousBrowse
                                                        • 8.29.130.206
                                                        https://4ac1b1774f.nxcli.net/content/adobe-RD28/index.htmlGet hashmaliciousBrowse
                                                        • 8.29.157.202
                                                        https://4ac1b1774f.nxcli.net/content/adobe-RD28/index.htmlGet hashmaliciousBrowse
                                                        • 8.29.157.202
                                                        https://u13866594.ct.sendgrid.net/ls/click?upn=zXrfjgsxrhwKJV2JEsds02DTKlA-2FKjP3ouTKap6tb-2BaHzPZGmjljWdY-2B8eIVgUp6FZt5WEBkptcUgYHGhLdiXIOOcI4quBIBQq-2FI5KivR9ZJcyXiEilPAbFSOTDEzsr8Wg7E9oxBKcFAygB5REMrDA-3D-3DfSmP_JrfdLO9c93xZuhsRHgFhRVDV8bLIln4lYk4aksXNrQT2hmY9LW1-2BwLQhc6eTeTp4EE5NUs8Klx5-2Fha7j5IkjVAbFl1T37-2BhQ2JWSaf7-2FBSF9alW21qJuxs-2B5W9BOyD1t4-2BxoIqaCGgqkyhimaS73eUj7LLB8nO3AAnBWZFTFKyd1HKj5Vs7AyIQ6lif5qThylDp9fqArjJYdvxUltYS65reC4G6lXlAEY85yMHqyEg8-3DGet hashmaliciousBrowse
                                                        • 173.249.151.38
                                                        http://u8824451.ct.sendgrid.net/ls/click?upn=5fYtplO-2FP4S37YYMUNVFFIYhCASYIhBbksOQ-2FihRkfMagXRLczMdDWyGKLdaZ2fGhDy-2F2d9wvh3PmFD5Sd8YlrIZf9YbBnjsARk2gQWkDh7EtRQeoc6vexcl-2F5xnJda6NJSpa6VgcIL99Z9lzFDK2g-3D-3DJZGb_Zf9noBSXp6zmd8gcAmse0KbOcMdKjdFVksgJt8-2FyUPRtkP4eQAkARHJz9LCsuAXZYmX90WUOo27t0l8tRPd-2BGboZnCD837dyUOzvwZQdq8YyTSBwQz1tmOMo8vOOGjUDn7S-2B-2BvWNHLAYT3doPJ5P9O4MJLNaRyHO39WJVaD-2FaysKv78DQH3AuD-2Br9cP-2Fkv2RSdS4tsTx8jv2duyxUVT2HF-2FSG9MUjWRrKmvZe0PvAPM-3DGet hashmaliciousBrowse
                                                        • 209.126.25.245
                                                        Electronic form.docGet hashmaliciousBrowse
                                                        • 173.249.157.230
                                                        Electronic form.docGet hashmaliciousBrowse
                                                        • 173.249.157.230
                                                        Electronic form.docGet hashmaliciousBrowse
                                                        • 173.249.157.230
                                                        https://u14688309.ct.sendgrid.net/ls/click?upn=cYiEKVN9lp-2Fx5BNj7S4OzK5I0wmQnNsEyIXHxuR49Y0mFRm5J-2FOvpTZPGVL-2FGaaV1CNEoN1qO2tnUYAsgY7JeZw8g-2FkrIoH7rbEUkNbx58SdDpO0thwug5jJN-2Frup8vaurnMgjuwNweyZIS2CZ3jkA-3D-3DT50W_5fL-2BdZKd8ocMNHc9SFg5eh8Z492W4iYSRnF7u-2BCYs3ycMEdZGjLCvGu2ugUBziXSXaqkh1V-2Fsa99ub68wrh5OdrzEnVOu7TsGbzWwItjPTAUliDykKj-2BrGf-2FnoWP8k64P1CqxPB7O6uti-2BRXKqKaFo62vIKvcgA6010v7qKaYTDacfsNG-2FrdMkVVmeY92oyIYHVAFv40AyUGcaYUyimPMp-2BUSUwNLaX-2B-2FFzXvJQNPfi1wlnZNSvwMO-2FCM-2F5SSLgeGet hashmaliciousBrowse
                                                        • 209.126.25.245
                                                        https://u14688309.ct.sendgrid.net/ls/click?upn=cYiEKVN9lp-2Fx5BNj7S4OzK5I0wmQnNsEyIXHxuR49Y0mFRm5J-2FOvpTZPGVL-2FGaaV1CNEoN1qO2tnUYAsgY7JeZw8g-2FkrIoH7rbEUkNbx58SdDpO0thwug5jJN-2Frup8vaurnMgjuwNweyZIS2CZ3jkA-3D-3DtIcy_5fL-2BdZKd8ocMNHc9SFg5eh8Z492W4iYSRnF7u-2BCYs3ycMEdZGjLCvGu2ugUBziXSXaqkh1V-2Fsa99ub68wrh5OYz6cwOQ7Ot7CgyHJLSBUMG4eMwFRNpKSXwViJxXZcm-2Fun8LUg4JO6z5VtX1zs4YB-2Fft6HB6af-2B0DDiujru0fMifBRcnU9Fi-2FbYW8hlsgmAQC6pODhn8vANdinP-2FA-2FtozTt92M3JpYIKg6Jj-2BLa7t1zJrg6EOnVP-2FGO59JpMZSlpGet hashmaliciousBrowse
                                                        • 209.126.25.245
                                                        QW8524983075IS.docGet hashmaliciousBrowse
                                                        • 173.249.157.230
                                                        QW8524983075IS.docGet hashmaliciousBrowse
                                                        • 173.249.157.230
                                                        QW8524983075IS.docGet hashmaliciousBrowse
                                                        • 173.249.157.230
                                                        mZebTSV5Pp.docGet hashmaliciousBrowse
                                                        • 173.249.157.230

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Minutes of meeting June 9th.exe.log
                                                        Process:C:\Users\user\Desktop\Minutes of meeting June 9th.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:modified
                                                        Size (bytes):1400
                                                        Entropy (8bit):5.344635889251176
                                                        Encrypted:false
                                                        SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEg:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHV
                                                        MD5:394E646B019FF472CE37EE76A647A27F
                                                        SHA1:BD5872D88EE9CD2299B5F0E462C53D9E7040D6DA
                                                        SHA-256:2295A0B1F6ACD75FB5D038ADE65725EDF3DDF076107AEA93E4A864E35974AE2A
                                                        SHA-512:7E95510C85262998AECC9A06A73A5BF6352304AF6EE143EC7E48A17473773F33A96A2F4146446444789B8BCC9B83372A227DC89C3D326A2E142BCA1E1A9B4809
                                                        Malicious:false
                                                        Reputation:moderate, very likely benign file
                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                        C:\Users\user\AppData\Local\Temp\tmp1C49.tmp
                                                        Process:C:\Users\user\Desktop\Minutes of meeting June 9th.exe
                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1647
                                                        Entropy (8bit):5.184913133325714
                                                        Encrypted:false
                                                        SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGQ9tn:cbhK79lNQR/rydbz9I3YODOLNdq31
                                                        MD5:51A0296D50D19C44A767FB7256285438
                                                        SHA1:F5D712FADFAF2975F12F55E357FDBF9DB6CC3772
                                                        SHA-256:1E8EED0B81F03036E346C7C79FCBE10E68D152162903F4282BB12841F64399AA
                                                        SHA-512:E1AFA3981131BB90DD0CC03808DBD1FC7E891D99DAA8EC8719669599A0B84B95F0B2F4C1AEE733F759A9616D2894579543DD40939D446C0F765D65475E6CBC7C
                                                        Malicious:true
                                                        Reputation:low
                                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                        C:\Users\user\AppData\Roaming\RfuYgTevtBVukb.exe
                                                        Process:C:\Users\user\Desktop\Minutes of meeting June 9th.exe
                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1552896
                                                        Entropy (8bit):7.307230517877139
                                                        Encrypted:false
                                                        SSDEEP:24576:5ONeBUdtwsEgwsoe/z8YEoqSg5LlJfH6zMIDsxTt8nUhqF+39k6aq0+imRIyY/r:EwBUwsEgwsoe5U/BldO/jFyHaq0lyIye
                                                        MD5:EE4B5D2D220B8B925A84755E5AD9FA06
                                                        SHA1:4BFA8D3ABF280CCA85905CE083FE4446AC1D4862
                                                        SHA-256:31E702DD0FC8AE15E8CA4991263C135709A1D64CDA293A4896F89ED3B3699B77
                                                        SHA-512:101B8FEC687AAA86F558188832C3A0C77264EDE18A962772E68C678C24D6FFBEA135188B53D291641A472A27E4241A152180960B45428435CA359E20AD214F2A
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 9%
                                                        Reputation:low
                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P..*...........I... ...`....@.. ....................... ............@..................................H..O....`...............................G............................................... ............... ..H............text...4)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc..............................@..B.................I......H............D...........................................................0............(....(..........(.....o.....*.....................( ......(!......("......(#......($....*N..(....o....(%....*&..(&....*.s'........s(........s)........s*........s+........*....0...........~....o,....+..*.0...........~....o-....+..*.0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*&..(1....*...0..<........~.....(2.....,!r...p.....(3...o4...s5............~.....
                                                        C:\Users\user\AppData\Roaming\RfuYgTevtBVukb.exe:Zone.Identifier
                                                        Process:C:\Users\user\Desktop\Minutes of meeting June 9th.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):26
                                                        Entropy (8bit):3.95006375643621
                                                        Encrypted:false
                                                        SSDEEP:3:ggPYV:rPYV
                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                        Malicious:false
                                                        Reputation:high, very likely benign file
                                                        Preview: [ZoneTransfer]....ZoneId=0

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):7.307230517877139
                                                        TrID:
                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                        • DOS Executable Generic (2002/1) 0.01%
                                                        File name:Minutes of meeting June 9th.exe
                                                        File size:1552896
                                                        MD5:ee4b5d2d220b8b925a84755e5ad9fa06
                                                        SHA1:4bfa8d3abf280cca85905ce083fe4446ac1d4862
                                                        SHA256:31e702dd0fc8ae15e8ca4991263c135709a1d64cda293a4896f89ed3b3699b77
                                                        SHA512:101b8fec687aaa86f558188832c3a0c77264ede18a962772e68c678c24d6ffbea135188b53d291641a472a27e4241a152180960b45428435ca359e20ad214f2a
                                                        SSDEEP:24576:5ONeBUdtwsEgwsoe/z8YEoqSg5LlJfH6zMIDsxTt8nUhqF+39k6aq0+imRIyY/r:EwBUwsEgwsoe5U/BldO/jFyHaq0lyIye
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P..*...........I... ...`....@.. ....................... ............@................................

                                                        File Icon

                                                        Icon Hash:e0c6a169f4bed870

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x55492e
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                        Time Stamp:0x60C3140B [Fri Jun 11 07:43:07 2021 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:v4.0.30319
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp dword ptr [00402000h]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x1548dc0x4f.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1560000x2838c.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1800000xc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x1547a40x1c.text
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000x1529340x152a00False0.699034901024data7.39720072133IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                        .rsrc0x1560000x2838c0x28400False0.599845933618data6.35335609293IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0x1800000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountry
                                                        RT_ICON0x1561a00x468GLS_BINARY_LSB_FIRST
                                                        RT_ICON0x1566180x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                                        RT_ICON0x1576d00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                                        RT_ICON0x159c880x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                        RT_ICON0x15dec00x10828dBase III DBT, version number 0, next free block index 40
                                                        RT_ICON0x16e6f80xf255PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                        RT_GROUP_ICON0x17d9600x5adata
                                                        RT_VERSION0x17d9cc0x3cedata
                                                        RT_MANIFEST0x17ddac0x5daXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                        Imports

                                                        DLLImport
                                                        mscoree.dll_CorExeMain

                                                        Version Infos

                                                        DescriptionData
                                                        Translation0x0000 0x04b0
                                                        LegalCopyrightCopyright 2015 Benz
                                                        Assembly Version1.6.0.65
                                                        InternalNameTopLevelAssemblyTypeResolver.exe
                                                        FileVersion1.6.0.65
                                                        CompanyNameTown and Country Convenience Stores
                                                        LegalTrademarks
                                                        Comments
                                                        ProductNameCDWorkFlow
                                                        ProductVersion1.6.0.65
                                                        FileDescriptionCDWorkFlow
                                                        OriginalFilenameTopLevelAssemblyTypeResolver.exe

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jun 11, 2021 10:35:53.319247961 CEST49777587192.168.2.4173.249.158.24
                                                        Jun 11, 2021 10:35:53.473428011 CEST58749777173.249.158.24192.168.2.4
                                                        Jun 11, 2021 10:35:53.473726988 CEST49777587192.168.2.4173.249.158.24
                                                        Jun 11, 2021 10:35:53.879920959 CEST58749777173.249.158.24192.168.2.4
                                                        Jun 11, 2021 10:35:53.880697012 CEST49777587192.168.2.4173.249.158.24
                                                        Jun 11, 2021 10:35:54.075145006 CEST58749777173.249.158.24192.168.2.4
                                                        Jun 11, 2021 10:35:54.419498920 CEST58749777173.249.158.24192.168.2.4
                                                        Jun 11, 2021 10:35:54.420450926 CEST49777587192.168.2.4173.249.158.24
                                                        Jun 11, 2021 10:35:54.575196028 CEST58749777173.249.158.24192.168.2.4
                                                        Jun 11, 2021 10:35:54.576607943 CEST58749777173.249.158.24192.168.2.4
                                                        Jun 11, 2021 10:35:54.576687098 CEST49777587192.168.2.4173.249.158.24
                                                        Jun 11, 2021 10:35:54.579893112 CEST49777587192.168.2.4173.249.158.24
                                                        Jun 11, 2021 10:35:54.733411074 CEST58749777173.249.158.24192.168.2.4

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jun 11, 2021 10:33:56.290431023 CEST5309753192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:33:56.341996908 CEST53530978.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:33:57.330971956 CEST4925753192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:33:57.386940956 CEST53492578.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:33:57.513700008 CEST6238953192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:33:57.564064026 CEST53623898.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:33:57.823036909 CEST4991053192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:33:57.877491951 CEST53499108.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:33:58.043072939 CEST5585453192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:33:58.099106073 CEST53558548.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:33:58.180588007 CEST6454953192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:33:58.230870008 CEST53645498.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:33:59.621726036 CEST6315353192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:33:59.681188107 CEST53631538.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:34:00.967665911 CEST5299153192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:34:01.017910957 CEST53529918.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:34:03.082721949 CEST5370053192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:34:03.134270906 CEST53537008.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:34:04.677480936 CEST5172653192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:34:04.736222982 CEST53517268.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:34:05.648658991 CEST5679453192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:34:05.702225924 CEST53567948.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:34:06.561427116 CEST5653453192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:34:06.621249914 CEST53565348.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:34:09.032438993 CEST5662753192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:34:09.082566977 CEST53566278.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:34:09.980338097 CEST5662153192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:34:10.031027079 CEST53566218.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:34:10.952074051 CEST6311653192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:34:11.002082109 CEST53631168.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:34:11.876445055 CEST6407853192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:34:11.926604986 CEST53640788.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:34:13.052963018 CEST6480153192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:34:13.114428043 CEST53648018.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:34:22.675352097 CEST6172153192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:34:22.736996889 CEST53617218.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:34:23.669648886 CEST5125553192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:34:23.719836950 CEST53512558.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:34:24.582063913 CEST6152253192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:34:24.635190964 CEST53615228.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:34:25.110411882 CEST5233753192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:34:25.173124075 CEST53523378.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:34:25.641455889 CEST5504653192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:34:25.703164101 CEST53550468.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:34:41.844541073 CEST4961253192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:34:41.988982916 CEST53496128.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:34:42.566684961 CEST4928553192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:34:42.576778889 CEST5060153192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:34:42.628413916 CEST53492858.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:34:42.645960093 CEST53506018.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:34:43.163948059 CEST6087553192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:34:43.316416025 CEST53608758.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:34:43.777223110 CEST5644853192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:34:43.838964939 CEST53564488.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:34:44.372895002 CEST5917253192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:34:44.434624910 CEST53591728.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:34:44.974304914 CEST6242053192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:34:45.038090944 CEST53624208.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:34:45.479558945 CEST6057953192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:34:45.539040089 CEST53605798.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:34:46.281991005 CEST5018353192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:34:46.344120026 CEST53501838.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:34:47.228070974 CEST6153153192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:34:47.287065983 CEST53615318.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:34:47.689727068 CEST4922853192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:34:47.749660969 CEST53492288.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:34:50.909270048 CEST5979453192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:34:50.968363047 CEST53597948.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:34:59.658808947 CEST5591653192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:34:59.692982912 CEST5275253192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:34:59.727289915 CEST53559168.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:34:59.743439913 CEST53527528.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:35:02.536353111 CEST6054253192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:35:02.596685886 CEST53605428.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:35:35.419301987 CEST6068953192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:35:35.493822098 CEST53606898.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:35:37.047209024 CEST6420653192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:35:37.106333971 CEST53642068.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:35:52.829802990 CEST5090453192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:35:53.027034044 CEST53509048.8.8.8192.168.2.4
                                                        Jun 11, 2021 10:35:53.043632030 CEST5752553192.168.2.48.8.8.8
                                                        Jun 11, 2021 10:35:53.216770887 CEST53575258.8.8.8192.168.2.4

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                        Jun 11, 2021 10:35:52.829802990 CEST192.168.2.48.8.8.80x4e11Standard query (0)mail.crigab.clA (IP address)IN (0x0001)
                                                        Jun 11, 2021 10:35:53.043632030 CEST192.168.2.48.8.8.80x3c1fStandard query (0)mail.crigab.clA (IP address)IN (0x0001)

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                        Jun 11, 2021 10:35:53.027034044 CEST8.8.8.8192.168.2.40x4e11No error (0)mail.crigab.clcrigab.clCNAME (Canonical name)IN (0x0001)
                                                        Jun 11, 2021 10:35:53.027034044 CEST8.8.8.8192.168.2.40x4e11No error (0)crigab.cl173.249.158.24A (IP address)IN (0x0001)
                                                        Jun 11, 2021 10:35:53.216770887 CEST8.8.8.8192.168.2.40x3c1fNo error (0)mail.crigab.clcrigab.clCNAME (Canonical name)IN (0x0001)
                                                        Jun 11, 2021 10:35:53.216770887 CEST8.8.8.8192.168.2.40x3c1fNo error (0)crigab.cl173.249.158.24A (IP address)IN (0x0001)

                                                        SMTP Packets

                                                        TimestampSource PortDest PortSource IPDest IPCommands
                                                        Jun 11, 2021 10:35:53.879920959 CEST58749777173.249.158.24192.168.2.4220-ww1.hechile.com ESMTP Exim 4.94.2 #2 Fri, 11 Jun 2021 04:35:53 -0400
                                                        220-We do not authorize the use of this system to transport unsolicited,
                                                        220 and/or bulk e-mail.
                                                        Jun 11, 2021 10:35:53.880697012 CEST49777587192.168.2.4173.249.158.24EHLO 494126
                                                        Jun 11, 2021 10:35:54.419498920 CEST58749777173.249.158.24192.168.2.4250-ww1.hechile.com Hello 494126 [84.17.52.18]
                                                        250-SIZE 52428800
                                                        250-8BITMIME
                                                        250-PIPELINING
                                                        250-PIPE_CONNECT
                                                        250-STARTTLS
                                                        250 HELP
                                                        Jun 11, 2021 10:35:54.420450926 CEST49777587192.168.2.4173.249.158.24MAIL FROM:<jaime.navarro@crigab.cl>
                                                        Jun 11, 2021 10:35:54.575196028 CEST58749777173.249.158.24192.168.2.4550 Access denied - Invalid HELO name (See RFC2821 4.1.1.1)

                                                        Code Manipulations

                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Start time:10:34:00
                                                        Start date:11/06/2021
                                                        Path:C:\Users\user\Desktop\Minutes of meeting June 9th.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Users\user\Desktop\Minutes of meeting June 9th.exe'
                                                        Imagebase:0x250000
                                                        File size:1552896 bytes
                                                        MD5 hash:EE4B5D2D220B8B925A84755E5AD9FA06
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.671900306.00000000037E1000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.671900306.00000000037E1000.00000004.00000001.sdmp, Author: Joe Security
                                                        Reputation:low

                                                        General

                                                        Start time:10:34:10
                                                        Start date:11/06/2021
                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RfuYgTevtBVukb' /XML 'C:\Users\user\AppData\Local\Temp\tmp1C49.tmp'
                                                        Imagebase:0x2d0000
                                                        File size:185856 bytes
                                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        General

                                                        Start time:10:34:10
                                                        Start date:11/06/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff724c50000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        General

                                                        Start time:10:34:11
                                                        Start date:11/06/2021
                                                        Path:C:\Users\user\Desktop\Minutes of meeting June 9th.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Users\user\Desktop\Minutes of meeting June 9th.exe
                                                        Imagebase:0x960000
                                                        File size:1552896 bytes
                                                        MD5 hash:EE4B5D2D220B8B925A84755E5AD9FA06
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.909165017.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.909165017.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.668170941.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.668170941.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmp, Author: Joe Security
                                                        Reputation:low

                                                        Disassembly

                                                        Code Analysis

                                                        Reset < >

                                                          Executed Functions

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.678803198.00000000078B0000.00000040.00000001.sdmp, Offset: 078B0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: '[YD$|
                                                          • API String ID: 0-2372260722
                                                          • Opcode ID: 9f4ba865087f01581dde9668e1c6df6eaf381d54d89268a687e3f8af39c507ee
                                                          • Instruction ID: 458acc63064cdc21167a6dfe1b841e5e890c87ac771bd3ab0574993f71843531
                                                          • Opcode Fuzzy Hash: 9f4ba865087f01581dde9668e1c6df6eaf381d54d89268a687e3f8af39c507ee
                                                          • Instruction Fuzzy Hash: 25C11574E16218DFDB14CFA4D942BEDBBB2FB89310F209429E505BB394DB74A9418F14
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.678803198.00000000078B0000.00000040.00000001.sdmp, Offset: 078B0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: <#9U
                                                          • API String ID: 0-3023521917
                                                          • Opcode ID: f43dbd7b7beb99494358a35da963bb36a7d3f49bf919f10503172a4fbee679ad
                                                          • Instruction ID: beaf7add2d015515bbc1436d7bdc5aaa0f4e051bb104fbc33b5a664a7dd8a715
                                                          • Opcode Fuzzy Hash: f43dbd7b7beb99494358a35da963bb36a7d3f49bf919f10503172a4fbee679ad
                                                          • Instruction Fuzzy Hash: 01514DB0E19218DBCB18CFA5D9815DDFBF2FB9E250F14942AD505F7354DB38A9018B28
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681123532.0000000007B00000.00000040.00000001.sdmp, Offset: 07B00000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 328cf26a15e549d759c6fe337287d1ce93a232b017a3e040ab962c101a8a5967
                                                          • Instruction ID: 1522fbf2264deefcd00eb6d89d3d756adf83239fc04e213b387f6ea1388b351d
                                                          • Opcode Fuzzy Hash: 328cf26a15e549d759c6fe337287d1ce93a232b017a3e040ab962c101a8a5967
                                                          • Instruction Fuzzy Hash: C442F6B8714608CFDB189B78D4996697BF2FF89205F1048BEE506DB7A0DF319842CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681123532.0000000007B00000.00000040.00000001.sdmp, Offset: 07B00000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a9360dbd4798030c7e60f77eb99c05d0c4f02f9690cdbc517aff121915865718
                                                          • Instruction ID: 41f42133fa3d322ee0adb35475baa25eeb379c114b292c7d61d930a5fb983807
                                                          • Opcode Fuzzy Hash: a9360dbd4798030c7e60f77eb99c05d0c4f02f9690cdbc517aff121915865718
                                                          • Instruction Fuzzy Hash: B5226A74A00219CFDB24DF68C884A9DBBB2FF89304F15C595E509AB265DB30EE95CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4669d937faa3ff21e5e8495885b217e754b984252144f2b2c7c3fe3991e4a99a
                                                          • Instruction ID: 14b6b4bd2f584e50e0176d6edd208b4256d8928e60303117f6bbd91cf2b9db98
                                                          • Opcode Fuzzy Hash: 4669d937faa3ff21e5e8495885b217e754b984252144f2b2c7c3fe3991e4a99a
                                                          • Instruction Fuzzy Hash: BEA126B1E04219CFEB14DFE9C8407AEBBB2BF89314F54C069E618A7255EB314986CF51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3ccb1aa6a1133114dd71c3a11cf557139a00d20731f88f4f65fc19bf536df81f
                                                          • Instruction ID: 124821ed7e7ba1ebebb6c0fd98d5df5a42c37a21fbd1a9beebc9a5c26ce1c06b
                                                          • Opcode Fuzzy Hash: 3ccb1aa6a1133114dd71c3a11cf557139a00d20731f88f4f65fc19bf536df81f
                                                          • Instruction Fuzzy Hash: 908119B1E04219CFEB14DFE9C8407ADBBB2BF89314F54C0A9E618A7255EB304A85CF51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.678803198.00000000078B0000.00000040.00000001.sdmp, Offset: 078B0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e9d4bd741cb6f79cd9a888cbdc3b32b0d27cb12e27196c7fe9b86f910d6e12c6
                                                          • Instruction ID: 5d965883826c5dc002cabf7897ca9a5a7d06bd01cc99e9fe4a0e5ba44d8fef4a
                                                          • Opcode Fuzzy Hash: e9d4bd741cb6f79cd9a888cbdc3b32b0d27cb12e27196c7fe9b86f910d6e12c6
                                                          • Instruction Fuzzy Hash: CA81D0B4E11218DFCB18CFA5D8455EEBBB2FF89340F20942AD816AB354DB349902CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 66d494ca257edeef02f1638a6e819a5e254ea01fea147bb438367e3bf3cc234a
                                                          • Instruction ID: f7dc85bdcb9b223cf173859c674522e75a203cca6b18ff42513a85239cbe73f2
                                                          • Opcode Fuzzy Hash: 66d494ca257edeef02f1638a6e819a5e254ea01fea147bb438367e3bf3cc234a
                                                          • Instruction Fuzzy Hash: E081B0B4E10219CFDB08CFE9C984ADDBBB2EF89300F14C52AE529AB354D77499428B54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d252ee35278f1e9c384f5f6546400a2cc1bfe72d31334f7596f2a5b44b26016d
                                                          • Instruction ID: 2de645d75c23dd39f35b9bcd0666c998b505ebbe9bc979c8bd59c7c87e5156ad
                                                          • Opcode Fuzzy Hash: d252ee35278f1e9c384f5f6546400a2cc1bfe72d31334f7596f2a5b44b26016d
                                                          • Instruction Fuzzy Hash: 8A81A0B4E10219CFDB08CFE9C9846DEBBB2AF89300F14C52AE919AB354D7349946CF54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c9465c51e6e5e3bdd840ad68c78adb96e117a9cb6a728d094cc77f6177f22809
                                                          • Instruction ID: f63ebaf9919dc356acb724d1c43e6041fdefdaf7156202b018279f057f98fb66
                                                          • Opcode Fuzzy Hash: c9465c51e6e5e3bdd840ad68c78adb96e117a9cb6a728d094cc77f6177f22809
                                                          • Instruction Fuzzy Hash: 445103B0E146198FDB48CFAAC9406AEFBF2FB89301F14D12AE51AA7254D7344A41CF65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 498947f7a6417638a64e354513b089abf20ae730521669c71f62c8f5ed6c8dc5
                                                          • Instruction ID: 28e635882fe383c05a188b20b7cc9ab24d409aec14846a03917d1738e99af51b
                                                          • Opcode Fuzzy Hash: 498947f7a6417638a64e354513b089abf20ae730521669c71f62c8f5ed6c8dc5
                                                          • Instruction Fuzzy Hash: 6A4107B5E11618CFDB18CFA6D9446DDBBF2AFC8301F14C06AE509AB254DB345A45CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.678803198.00000000078B0000.00000040.00000001.sdmp, Offset: 078B0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ac3919986e3b24f2f5df5305e371103a2ef54ff3ca2fa86f70786213dadc60ff
                                                          • Instruction ID: 5390d460a46030ab801902d94cb7e1e7519369a5e58992cf70d6b3b651de1c81
                                                          • Opcode Fuzzy Hash: ac3919986e3b24f2f5df5305e371103a2ef54ff3ca2fa86f70786213dadc60ff
                                                          • Instruction Fuzzy Hash: EC21AA71E156188BEB58CF6BDC4079EFBF7ABC8200F04C17AD908A6254DB341A568F51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.678803198.00000000078B0000.00000040.00000001.sdmp, Offset: 078B0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 98a22334b2432bb9f23a36a2aa59dc521ab74d575da3ff5f158dba32e3735632
                                                          • Instruction ID: b17527b5e1a15a4ba0008a97043e8d2b056c9739b57b19c6390302d2d991bd3a
                                                          • Opcode Fuzzy Hash: 98a22334b2432bb9f23a36a2aa59dc521ab74d575da3ff5f158dba32e3735632
                                                          • Instruction Fuzzy Hash: A4114CB0D052598BCB24CFA5C848BEEBBF1AF4E311F149069D515F3390C7788A44CB64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • GetCurrentProcess.KERNEL32 ref: 00D96BF0
                                                          • GetCurrentThread.KERNEL32 ref: 00D96C2D
                                                          • GetCurrentProcess.KERNEL32 ref: 00D96C6A
                                                          • GetCurrentThreadId.KERNEL32 ref: 00D96CC3
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.670748609.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                          Similarity
                                                          • API ID: Current$ProcessThread
                                                          • String ID:
                                                          • API String ID: 2063062207-0
                                                          • Opcode ID: ebd65b56279c1bee8e3516dae1f2a41b4bcd0debf2df05023d242c246eec5bd4
                                                          • Instruction ID: 4306e49c4c4a9edf25b46bc15f4fada7c4bffb6dbea7d7a9d5c91838aae5dbcb
                                                          • Opcode Fuzzy Hash: ebd65b56279c1bee8e3516dae1f2a41b4bcd0debf2df05023d242c246eec5bd4
                                                          • Instruction Fuzzy Hash: E85145B09003498FDB14CFA9D688B9EBBF0FF49314F14846AE459A7360D774A884CF65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • GetCurrentProcess.KERNEL32 ref: 00D96BF0
                                                          • GetCurrentThread.KERNEL32 ref: 00D96C2D
                                                          • GetCurrentProcess.KERNEL32 ref: 00D96C6A
                                                          • GetCurrentThreadId.KERNEL32 ref: 00D96CC3
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.670748609.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                          Similarity
                                                          • API ID: Current$ProcessThread
                                                          • String ID:
                                                          • API String ID: 2063062207-0
                                                          • Opcode ID: 67a04b785bb9370de37b8fe932e416fbf3450449dfea4116304bced2c0bc4ca7
                                                          • Instruction ID: c690674cee1bd6eadcaf90ccce39edefabc8e48da41e0961e8971496c1a7a9ba
                                                          • Opcode Fuzzy Hash: 67a04b785bb9370de37b8fe932e416fbf3450449dfea4116304bced2c0bc4ca7
                                                          • Instruction Fuzzy Hash: 185144B0D002498FDB14CFA9D688B9EBBF1FF89314F248469E459A7350D774A884CF65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 078B8046
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.678803198.00000000078B0000.00000040.00000001.sdmp, Offset: 078B0000, based on PE: false
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: dad82da1df17dae9c7a95902b96902a03dcff15d87122a5516d6add52c301931
                                                          • Instruction ID: 1df6c3c32e29d4abb78b1be37de1cb9e21c51a0bff9e1d3e1a340990ab7efdec
                                                          • Opcode Fuzzy Hash: dad82da1df17dae9c7a95902b96902a03dcff15d87122a5516d6add52c301931
                                                          • Instruction Fuzzy Hash: 41914AB1D0021ADFDB24CFA4C880BDDBBB2BB88314F14856AE819E7340DB749985CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00D9BE0E
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.670748609.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: 559bcbc6a04d63575df37e49454bb97411474373032d009ae2cef804658ca68b
                                                          • Instruction ID: 34a614b8264759876782b46211ccda6696ac7405a210e5f361edf584a454600c
                                                          • Opcode Fuzzy Hash: 559bcbc6a04d63575df37e49454bb97411474373032d009ae2cef804658ca68b
                                                          • Instruction Fuzzy Hash: E0712470A00B058FDB24DF2AD54175AB7F1FF88314F01892AE49ADBB50DB75E8058FA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.678803198.00000000078B0000.00000040.00000001.sdmp, Offset: 078B0000, based on PE: false
                                                          Similarity
                                                          • API ID: DecodePointer
                                                          • String ID:
                                                          • API String ID: 3527080286-0
                                                          • Opcode ID: 640dbbfe8b75236d4593784c62fcb8dbc60ccadbec5dc4952cb06c11fbfc6cc9
                                                          • Instruction ID: f965fd3fd2d06bd34c2e4b01c462531d7d4367c6a70e051c7ab9015d604ac8b5
                                                          • Opcode Fuzzy Hash: 640dbbfe8b75236d4593784c62fcb8dbc60ccadbec5dc4952cb06c11fbfc6cc9
                                                          • Instruction Fuzzy Hash: 348118B0D01248EFDB21DFA8D588BCDBBF4AB19318F24815AE819B7351C7795888CF61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00D9DD8A
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.670748609.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                          Similarity
                                                          • API ID: CreateWindow
                                                          • String ID:
                                                          • API String ID: 716092398-0
                                                          • Opcode ID: 289a51a466eab8f14c5cc458a2c0f2ce069c3b62e1185ac892a8f5d4c76f7722
                                                          • Instruction ID: 9718e96c779a95ad174afd348976a3ce8dd881122c23d50e65855b81331aabdc
                                                          • Opcode Fuzzy Hash: 289a51a466eab8f14c5cc458a2c0f2ce069c3b62e1185ac892a8f5d4c76f7722
                                                          • Instruction Fuzzy Hash: 6251A0B1D003099FDF14CF99C884ADEFBB6BF48314F24812AE819AB250D7759985CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00D9DD8A
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.670748609.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                          Similarity
                                                          • API ID: CreateWindow
                                                          • String ID:
                                                          • API String ID: 716092398-0
                                                          • Opcode ID: 1fd41601fb8a03e112ca7769e38c7e52b79e407728bfb25a0965e8ddc67f0f83
                                                          • Instruction ID: 55fbeb21eae724e61d1fce5b8d1edfb2a7fea967c788a208136e712c35fed941
                                                          • Opcode Fuzzy Hash: 1fd41601fb8a03e112ca7769e38c7e52b79e407728bfb25a0965e8ddc67f0f83
                                                          • Instruction Fuzzy Hash: CF419EB1D003099FDF14CF99C884ADEBBB6BF48314F64812AE819AB250D7759985CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D96E3F
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.670748609.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 2bf33ad3e907669da6b26ecee3a645720e736cf0987a5380f0b1dc94e4db0f24
                                                          • Instruction ID: 202ef889fe3d5236cfc1cdd818e0e38ca2126494bd9c509701941e47e927d9bf
                                                          • Opcode Fuzzy Hash: 2bf33ad3e907669da6b26ecee3a645720e736cf0987a5380f0b1dc94e4db0f24
                                                          • Instruction Fuzzy Hash: 8A411576900249AFCF01CF99D844ADEBFF9EB49310F04806AF914A7361D775A954DFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 078B7C18
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.678803198.00000000078B0000.00000040.00000001.sdmp, Offset: 078B0000, based on PE: false
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: 41f43e1ae3c8751e7d26d0200556e40d8146541c61b0b1e8dd62ff252c1489eb
                                                          • Instruction ID: ee11ec3564d67a8e5b6a79b154c00807fc786b57e9ea5616e924d606b28d2b00
                                                          • Opcode Fuzzy Hash: 41f43e1ae3c8751e7d26d0200556e40d8146541c61b0b1e8dd62ff252c1489eb
                                                          • Instruction Fuzzy Hash: 372107B59003599FCB10CFA9C884BDEBBF5FF48324F14842AE919A7340D7789955CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D96E3F
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.670748609.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 10aa1ce9c34210906dc07538419a86a73a970e2843d951db9d6438166d876ae0
                                                          • Instruction ID: c0f579384f46e8d0ec5667b7f03248be8d11de5216ccf6eb0ce67bb936480878
                                                          • Opcode Fuzzy Hash: 10aa1ce9c34210906dc07538419a86a73a970e2843d951db9d6438166d876ae0
                                                          • Instruction Fuzzy Hash: 2421F2B5900248AFDB10CFA9D484AEEBFF4FF49324F14801AE954A3310D378A955CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • SetThreadContext.KERNELBASE(?,00000000), ref: 078B7A6E
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.678803198.00000000078B0000.00000040.00000001.sdmp, Offset: 078B0000, based on PE: false
                                                          Similarity
                                                          • API ID: ContextThread
                                                          • String ID:
                                                          • API String ID: 1591575202-0
                                                          • Opcode ID: 7d769d03615f0835bc7efd5c5f80ea83b9230d89631215e7b5ff6c2884e1ea85
                                                          • Instruction ID: a8e67b04a41457a7377c4206eb280c9b43b04dbe40f3d35118d9839d32ff0b7e
                                                          • Opcode Fuzzy Hash: 7d769d03615f0835bc7efd5c5f80ea83b9230d89631215e7b5ff6c2884e1ea85
                                                          • Instruction Fuzzy Hash: 442118B19003098FDB50CFAAC4847EEBBF4EF98364F14842AD559A7341CB78A945CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 078B7CF8
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.678803198.00000000078B0000.00000040.00000001.sdmp, Offset: 078B0000, based on PE: false
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: 513b375f5a0692978ff4d0e3e393d3b4e3bb556c2607b85e476c68cb82fc3efa
                                                          • Instruction ID: c10214a199caa29836e87605b95908404617c41ad4d462032f8803d3fb952bfd
                                                          • Opcode Fuzzy Hash: 513b375f5a0692978ff4d0e3e393d3b4e3bb556c2607b85e476c68cb82fc3efa
                                                          • Instruction Fuzzy Hash: 492148B18003099FCB10CFA9C8847EEFBF5FF48320F50842AE919A7240C7789944CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D96E3F
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.670748609.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 2717b6f5c0ec45d7f24f82c21cca9af711f093288b5aff8532b69bb94399f09a
                                                          • Instruction ID: e70a9a6a7e1fda0b61dbe6767f807a5cc0055fe754f6c3af9fa71e2b0f1defa3
                                                          • Opcode Fuzzy Hash: 2717b6f5c0ec45d7f24f82c21cca9af711f093288b5aff8532b69bb94399f09a
                                                          • Instruction Fuzzy Hash: 6A21D3B59002099FDF10CFA9D884ADEFBF8FB48324F14842AE914A3310D379A954CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 078B33BB
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.678803198.00000000078B0000.00000040.00000001.sdmp, Offset: 078B0000, based on PE: false
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: c1080fa4941a759c60ec2ed04f93b77829b6eea4a62ac5f9286d4b6c81a2aadd
                                                          • Instruction ID: f4fa20d818f1433eeb19ced900c98c58ad4122c7ee8ad44c6e9e6b195d498802
                                                          • Opcode Fuzzy Hash: c1080fa4941a759c60ec2ed04f93b77829b6eea4a62ac5f9286d4b6c81a2aadd
                                                          • Instruction Fuzzy Hash: 6F21F4B59002499FCB10CF9AD484BDEBBF4FB48360F10842AE968A3750D3789545CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 078B33BB
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.678803198.00000000078B0000.00000040.00000001.sdmp, Offset: 078B0000, based on PE: false
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: 662120dd1fe3a3566590dbbd1276a12bcb85452e5543d73e7de8ae9ac1e2f243
                                                          • Instruction ID: afe7866e6ddc3bbf8a94496f6a79294aeb976672936d7f66de6da4e271f10370
                                                          • Opcode Fuzzy Hash: 662120dd1fe3a3566590dbbd1276a12bcb85452e5543d73e7de8ae9ac1e2f243
                                                          • Instruction Fuzzy Hash: 5F21E4B19002099FCB10CF9AD484BDEFBF4FB48320F108429E968A7750D778A549CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00D9BE89,00000800,00000000,00000000), ref: 00D9C09A
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.670748609.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 133c330bfad20aa0851d06768e01409a6a6831e0513f611eb651c8c8be211a7b
                                                          • Instruction ID: cb95c34d4a7db084029d86f2904f2243c5fe5dc4b4e04afd13ca9b8681fc5a20
                                                          • Opcode Fuzzy Hash: 133c330bfad20aa0851d06768e01409a6a6831e0513f611eb651c8c8be211a7b
                                                          • Instruction Fuzzy Hash: 5B1103B2900209CFCB10CF9AC444BDEFBF4EB49364F14842EE919A7200C3B5A945CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 078B7B36
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.678803198.00000000078B0000.00000040.00000001.sdmp, Offset: 078B0000, based on PE: false
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 7931e22ef610f1c20fbffcd3da241fee2cabf69bf35fed487e58a7b439d26077
                                                          • Instruction ID: 7f21f6fb0ab2d4d6c65fcc3d833424efb2870d07ad603d7feb75acf708f4445c
                                                          • Opcode Fuzzy Hash: 7931e22ef610f1c20fbffcd3da241fee2cabf69bf35fed487e58a7b439d26077
                                                          • Instruction Fuzzy Hash: 151137719002099FCB10DFA9C844BDFFBF5EF98324F14842AE515A7250C775A954CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00D9BE89,00000800,00000000,00000000), ref: 00D9C09A
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.670748609.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: f1a18a6a748443c87f3fd838e18c17d392160c51eb8fb2795a3838ba71a33bb7
                                                          • Instruction ID: bc069a9ba0e0936a88971317134c38835d980fb8bebfd5d34d1eeb476c196be8
                                                          • Opcode Fuzzy Hash: f1a18a6a748443c87f3fd838e18c17d392160c51eb8fb2795a3838ba71a33bb7
                                                          • Instruction Fuzzy Hash: A81117B6D00209CFCB10CFAAD484BDEFBF4EB49324F14852AE419A7200C375A949CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.678803198.00000000078B0000.00000040.00000001.sdmp, Offset: 078B0000, based on PE: false
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 38bb5354cdf9099f6400a55ed919b758a75127ee710ed051184c2c4530e54af6
                                                          • Instruction ID: 2c4f10fc1161677c5c69313031d7e4f892a38a75c523a1ea5553c9faebba1e93
                                                          • Opcode Fuzzy Hash: 38bb5354cdf9099f6400a55ed919b758a75127ee710ed051184c2c4530e54af6
                                                          • Instruction Fuzzy Hash: 831136B19003498FCB10DFAAC4487EEFBF4EF88224F14842AD519A7340C779A944CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00D9BE0E
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.670748609.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: 768cdb8f40ad48eebbd76cade16fcd5ddf684e7031cb7f14928d5ccc2b57e9e8
                                                          • Instruction ID: 9ead5b6879a5a2f930bb42f4f86f33e0d6c858efebf675bfa11ec9a11d470444
                                                          • Opcode Fuzzy Hash: 768cdb8f40ad48eebbd76cade16fcd5ddf684e7031cb7f14928d5ccc2b57e9e8
                                                          • Instruction Fuzzy Hash: EE1113B1C002498FCB10CF9AD444BDEFBF4EB88324F15842AD819A7600C375A545CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • SetWindowLongW.USER32(?,?,?), ref: 00D9DF1D
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.670748609.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                          Similarity
                                                          • API ID: LongWindow
                                                          • String ID:
                                                          • API String ID: 1378638983-0
                                                          • Opcode ID: 9209f5387aae6697602348cde8ec71c8221aae8da4248900cb41d443daff9c2a
                                                          • Instruction ID: 826227df60228c57022cf1a7fef3307b922fd5ffef5e47e85afe1b36924c683e
                                                          • Opcode Fuzzy Hash: 9209f5387aae6697602348cde8ec71c8221aae8da4248900cb41d443daff9c2a
                                                          • Instruction Fuzzy Hash: A211F2B58002499FDB10CF99D489BDEBBF8EB48324F14845AE915B7700C3B4A944CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • PostMessageW.USER32(?,?,?,?), ref: 078BD02D
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.678803198.00000000078B0000.00000040.00000001.sdmp, Offset: 078B0000, based on PE: false
                                                          Similarity
                                                          • API ID: MessagePost
                                                          • String ID:
                                                          • API String ID: 410705778-0
                                                          • Opcode ID: 7f531361d9bfc7368b2e75909ae27c4935ef4792b3e8af0a46dbe77a0f3942cc
                                                          • Instruction ID: 34a933a32c3454ec80ae1b93d31271cb665561894ee516d12e22f28c4b1ea6ee
                                                          • Opcode Fuzzy Hash: 7f531361d9bfc7368b2e75909ae27c4935ef4792b3e8af0a46dbe77a0f3942cc
                                                          • Instruction Fuzzy Hash: 4711D3B59002499FDB20CF99D488BDEBBF8FB59324F108419E514A7700C375A545CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • SetWindowLongW.USER32(?,?,?), ref: 00D9DF1D
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.670748609.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                          Similarity
                                                          • API ID: LongWindow
                                                          • String ID:
                                                          • API String ID: 1378638983-0
                                                          • Opcode ID: e4e80994315cb3ef27e8b3a3ff37074626ce818489230fd3e1899fba2cf9d5cf
                                                          • Instruction ID: 694a25898c3535236a19904b033d29040d42788c8624236ba6f95b3980067aa4
                                                          • Opcode Fuzzy Hash: e4e80994315cb3ef27e8b3a3ff37074626ce818489230fd3e1899fba2cf9d5cf
                                                          • Instruction Fuzzy Hash: D011D0B58002499FDB10CF99D489BDEFBF8EB49324F14845AE915A7700C3B5A944CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LE
                                                          • API String ID: 0-470665354
                                                          • Opcode ID: 4981840274f4863b9389ac5958f3fced944b37c2fa6b80077799e18e44af7300
                                                          • Instruction ID: c1c77d1e3f42c8050494a485afed420c88c410146ef6ba35a833e57c3455e1fb
                                                          • Opcode Fuzzy Hash: 4981840274f4863b9389ac5958f3fced944b37c2fa6b80077799e18e44af7300
                                                          • Instruction Fuzzy Hash: F93107B0E04209DFCB44CFA9D5819AEBBF2AF89300F15C5AAD118AB315D3349A41CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: e#g
                                                          • API String ID: 0-363032358
                                                          • Opcode ID: 4c5170c1f2931e3f949aacb9f1795264ac96e6342f32e78138da133a50f2015e
                                                          • Instruction ID: b7f232b16d291a10d896a33c4c8079c6c7c01d37c697cef330372d0d4560b2b5
                                                          • Opcode Fuzzy Hash: 4c5170c1f2931e3f949aacb9f1795264ac96e6342f32e78138da133a50f2015e
                                                          • Instruction Fuzzy Hash: 16F0B7B5D14259DFCB50CFE8C985A9DBBB1FB48310F1095A8E505AB315C7309A85DF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: e#g
                                                          • API String ID: 0-363032358
                                                          • Opcode ID: bfc3e54da32330a222e8499bdea7af8b881554a849857ae5fbfdc2dba6ddd767
                                                          • Instruction ID: cf4a5cc8824f4b2861c6200361f6eab3c6a8bcc2d870ce5439cec2f4eb48921b
                                                          • Opcode Fuzzy Hash: bfc3e54da32330a222e8499bdea7af8b881554a849857ae5fbfdc2dba6ddd767
                                                          • Instruction Fuzzy Hash: 2BF09DB9D04259DFCB90CFE8C984A9DBBB1FB48310F2095A9E408AB315D630AA81CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 863928be6af0feb46750635c9c38ac6a52db85050e6975fb08956d0fe4c024c6
                                                          • Instruction ID: 86263d8ed6ffb5d97f49764e9b52b35ce9a207cef6019f7519d4b503a8d799c1
                                                          • Opcode Fuzzy Hash: 863928be6af0feb46750635c9c38ac6a52db85050e6975fb08956d0fe4c024c6
                                                          • Instruction Fuzzy Hash: 4091B0D280E3D05EC323637828741D63FB25D63198B0F85EBE2E5CF1B7A549594A83A7
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2c55c4acb003238d0b5bc106c42a6f3a0f69d9f498bc5ffb9aa83c59f6d25d35
                                                          • Instruction ID: 6e7d6593940f8b729ee68f7033f7e4612ebe1e68ad981cda52e1182358c4bb91
                                                          • Opcode Fuzzy Hash: 2c55c4acb003238d0b5bc106c42a6f3a0f69d9f498bc5ffb9aa83c59f6d25d35
                                                          • Instruction Fuzzy Hash: 8441ED71B012068FCB11DBB8D8445BEBBF7EFC42247158669E569CB3A1EF309D068B91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c548e805a5ee0da9d1c937ef45a7efb2d50555f472cba12e1260768cdad8e367
                                                          • Instruction ID: 9c77a0868bdc5367e8f1677cdbae0b01d0fafd7d7796b04187f464f131b4144d
                                                          • Opcode Fuzzy Hash: c548e805a5ee0da9d1c937ef45a7efb2d50555f472cba12e1260768cdad8e367
                                                          • Instruction Fuzzy Hash: B951D3B4E14209CFDB04CFE9D9456EEBBF2BF8A300F108429E625A7754DB745942CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5f38dbe3339a13082549de4dae3b6006031a490ef00a623b4a7f1a90ada6a47b
                                                          • Instruction ID: 2e45940a018ab217b5cb41af4839992db51d14747a19c957b1be0531bec5fd8b
                                                          • Opcode Fuzzy Hash: 5f38dbe3339a13082549de4dae3b6006031a490ef00a623b4a7f1a90ada6a47b
                                                          • Instruction Fuzzy Hash: EB31E9B4E11209DFCB44CFA9C5819AEBBF1BB88300F10846AD919A7754D7349941CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.669973310.000000000097D000.00000040.00000001.sdmp, Offset: 0097D000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1a7a884359211a176e39f4210d32f6d9e53657e5dbe67c0fc8e66f7e5930a272
                                                          • Instruction ID: 88647b2733eb0035ca4ea72e1cd247c8b61d38debc483a87f15790df0f88dc55
                                                          • Opcode Fuzzy Hash: 1a7a884359211a176e39f4210d32f6d9e53657e5dbe67c0fc8e66f7e5930a272
                                                          • Instruction Fuzzy Hash: DA21F8B2505240DFDB05DF10D9C0B26BBB6FF94324F24C969E90D4B296C33AE856C7A1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.670009464.000000000098D000.00000040.00000001.sdmp, Offset: 0098D000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 78ef480f80e13d2cbed190853b241c456b42420b1bf90262dafae8f3fc30d295
                                                          • Instruction ID: 84a1d5cf267ba19030be91a2f066383ba8814d0aa319b169e639d2f48339ddc6
                                                          • Opcode Fuzzy Hash: 78ef480f80e13d2cbed190853b241c456b42420b1bf90262dafae8f3fc30d295
                                                          • Instruction Fuzzy Hash: AD2107B1504240DFDB14EF10D8C4B26BBA5FB84314F24C96DD9494B386C37AD847CB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.670009464.000000000098D000.00000040.00000001.sdmp, Offset: 0098D000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3c71feeeb3cc1efb05d4688cb1166df8451e791ac2e61231a51a7f572b2643f6
                                                          • Instruction ID: 560c74184c86c9d19c2f7ec02d5a8a0b630a34463a60ec92cd47c50352feb44d
                                                          • Opcode Fuzzy Hash: 3c71feeeb3cc1efb05d4688cb1166df8451e791ac2e61231a51a7f572b2643f6
                                                          • Instruction Fuzzy Hash: 492129B5504240DFDB04EF10D8C4B26BBA5FB84328F24C96EE9494B386C37AD846CB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d6553f84b4d65aad857b9fb4ddff2aa7f2988875c57c8fbc736e7d7e1dea0fef
                                                          • Instruction ID: 7895717f25745c9c4ceb91628f6935a525f622ad6993f582b56755924bc924c2
                                                          • Opcode Fuzzy Hash: d6553f84b4d65aad857b9fb4ddff2aa7f2988875c57c8fbc736e7d7e1dea0fef
                                                          • Instruction Fuzzy Hash: E931C7B4E15209DFCB44CFA9C5809AEBBF2FF88300F10856AD919A7754D7749A42CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 12f358333943d0a7da0607780221794f17963722df173253b179bfa0a44e8780
                                                          • Instruction ID: 7fa96a0aa5cf1ed562266ed34a1e74c79a917b4912d37109930e43e04b68fd7e
                                                          • Opcode Fuzzy Hash: 12f358333943d0a7da0607780221794f17963722df173253b179bfa0a44e8780
                                                          • Instruction Fuzzy Hash: 9B31E0B5D412189FDB20CFA9C588BCEBFF0AB49314F14842AE414BB250C7B55889CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: aa4056aedbfa66b2830a260e2e2e55398d34e8d70776dd40365d089cc7d3f4ac
                                                          • Instruction ID: 1e5dd4470fd31fa8f5c32dc71575955cebbc45d06979508637a6d049ebf1df75
                                                          • Opcode Fuzzy Hash: aa4056aedbfa66b2830a260e2e2e55398d34e8d70776dd40365d089cc7d3f4ac
                                                          • Instruction Fuzzy Hash: 8A21BDB1D01218DFDB20CF99C988BCEBBF4BB49714F24802AE514BB250C7B55885CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.670009464.000000000098D000.00000040.00000001.sdmp, Offset: 0098D000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: badb651c25f72cf2a92c9918e3752f83ad93c4e4fe6b82e4b0f6a659dca47fde
                                                          • Instruction ID: d77c3cfe607ae5e5a3b727d3bf88738bb9431c3ad4015c2c3ff50c4c09d52421
                                                          • Opcode Fuzzy Hash: badb651c25f72cf2a92c9918e3752f83ad93c4e4fe6b82e4b0f6a659dca47fde
                                                          • Instruction Fuzzy Hash: E3218E755093C08FCB12CF20D994B15BF71EB46314F28C5EAD8498B6A7C33A980ACB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a8fce1a289f3d1d84ac515614805918e6a23549b71ab759fad600718d25f1d9c
                                                          • Instruction ID: f6f5bec5399baed8f446c1299d432948c01e78f015c0659aa84860d8f4edc5ec
                                                          • Opcode Fuzzy Hash: a8fce1a289f3d1d84ac515614805918e6a23549b71ab759fad600718d25f1d9c
                                                          • Instruction Fuzzy Hash: DD115E71B0021ACB8B54EBF998106EEB6F6EFC9254B10403AD614EB344EB328D46CB95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 63dac5cbe806267690d1c5997468a1406f56364f922409627c8d8aa12e0e9044
                                                          • Instruction ID: 6bbb702316f445f97b574a7d22e236e3a1e657558933e84216f641fa74c4390d
                                                          • Opcode Fuzzy Hash: 63dac5cbe806267690d1c5997468a1406f56364f922409627c8d8aa12e0e9044
                                                          • Instruction Fuzzy Hash: 4201C8B5A006165B8B10DFB998405BFBBFBEBC82607148529E968D3340EF308D0587A1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.669973310.000000000097D000.00000040.00000001.sdmp, Offset: 0097D000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
                                                          • Instruction ID: 8a33d3893f4646bbefa2ec96ad2bd11411cc5cbd937f80807e53c8ebb960e5bf
                                                          • Opcode Fuzzy Hash: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
                                                          • Instruction Fuzzy Hash: AF11D376505280DFCB11CF10D5C4B16BF72FF94320F28C6A9D8080B666C33AE856CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.670009464.000000000098D000.00000040.00000001.sdmp, Offset: 0098D000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 21dbda9fffde9beb189af7165341122266bd3c9337f42a4093e234a02c9dbdce
                                                          • Instruction ID: f69dfaf4cc67864c7b987da58bce96e1c927a49912b46bce136964a099331921
                                                          • Opcode Fuzzy Hash: 21dbda9fffde9beb189af7165341122266bd3c9337f42a4093e234a02c9dbdce
                                                          • Instruction Fuzzy Hash: 4F119D75504280DFCB11DF14D5C4B19BBB1FB84328F28C6AAD8494B796C33AD84ACBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4b764ca717a16f0dd0c46dbac9508b69d1120917ec51eec40798d9dc581fcdce
                                                          • Instruction ID: 62527ae6ea7a494df7ebfb424eeda5bd8ee42e1cee09628bab686272f7f879e7
                                                          • Opcode Fuzzy Hash: 4b764ca717a16f0dd0c46dbac9508b69d1120917ec51eec40798d9dc581fcdce
                                                          • Instruction Fuzzy Hash: E62129B4E12359CFDB20CFA5C94579DBBB1BB89310F10849AE505AB314E7349E85CF14
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ebbde5031fc6fb487d88d1b21e37f1b88fd4e11765189c890be510648ee4cf80
                                                          • Instruction ID: 858ffbdf3a8f4caf5d453c9a31c0d901e01d6b812890dc12c34d22d2aa68b001
                                                          • Opcode Fuzzy Hash: ebbde5031fc6fb487d88d1b21e37f1b88fd4e11765189c890be510648ee4cf80
                                                          • Instruction Fuzzy Hash: F5114970A12259CFCB54CFE4D944A9DBBB2FB89311F109496E506AB358E738AE84CF10
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.669973310.000000000097D000.00000040.00000001.sdmp, Offset: 0097D000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c2e11c11194a4aba158f77f26ff7bdc9893df08d9d4fbe014788ac5e1c0946a1
                                                          • Instruction ID: 0aace758b8a62dc101bcb318f6fc192e0132741c0a7bbf1d2ae5ca7c23aa4f2a
                                                          • Opcode Fuzzy Hash: c2e11c11194a4aba158f77f26ff7bdc9893df08d9d4fbe014788ac5e1c0946a1
                                                          • Instruction Fuzzy Hash: A3018F72409244AAE7108A16CC847A6BBE8EF95774F18C45AEE095B246C3B99944C6B2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f0d6a86e4b834bfc2b148d9e0058fd82152d4de6b7cb57551e0b15a642e36f0d
                                                          • Instruction ID: 751020a48a8fbf2c6a20735b5096d8d28170b5e880ae033cb7d7c4143c720f52
                                                          • Opcode Fuzzy Hash: f0d6a86e4b834bfc2b148d9e0058fd82152d4de6b7cb57551e0b15a642e36f0d
                                                          • Instruction Fuzzy Hash: F2114874A12259CFCB54CFA4D94469DBBB2FB89311F2054A6E406AB354EB34AE85CF00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 514f34ff43728db225242a6226b2876f1285b21792032972287a820773249792
                                                          • Instruction ID: f68fca9b39dafb4a7b3ac6246a644afcac89c75ff1de8826171a0aab29c09d2b
                                                          • Opcode Fuzzy Hash: 514f34ff43728db225242a6226b2876f1285b21792032972287a820773249792
                                                          • Instruction Fuzzy Hash: 9D115A74A12359CFCB50CFA4D94469DBBB2BB89310F205496E516AB358E734AE84CF40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 51857ebb8510de37ae13e7df77980422d13baffd2122ef34e51fcd61488b820d
                                                          • Instruction ID: c158cb4520b2d41beeaa28c8049c6a25c2b6347664024dad1a648780ad5e8741
                                                          • Opcode Fuzzy Hash: 51857ebb8510de37ae13e7df77980422d13baffd2122ef34e51fcd61488b820d
                                                          • Instruction Fuzzy Hash: 9801F770A21608DFD744DFE5D94629DFFB6EB8A201F10C066D90DD3304DB309A51CA45
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e92ac21a103bbaee1806994ee48f01dd55bedc45096d83bd4c84dc8c1bcc6506
                                                          • Instruction ID: 5bc2794485ab6bb3c2cc99eb2c966a5719420f262f51e8e0c8c3a0e172fe81f4
                                                          • Opcode Fuzzy Hash: e92ac21a103bbaee1806994ee48f01dd55bedc45096d83bd4c84dc8c1bcc6506
                                                          • Instruction Fuzzy Hash: 0D01D2B0926608DFD708DFE5D54969DBFB2EB86201F10C0AAE40997714DB348A12CB44
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3050a306d320a811e8f5258610ca52bf23a9a426d255067df68570869eea434a
                                                          • Instruction ID: b6bb93ef82cddf5d3e3aa6efcb38ab47ed9c33b981504e5c04ed5d088b400218
                                                          • Opcode Fuzzy Hash: 3050a306d320a811e8f5258610ca52bf23a9a426d255067df68570869eea434a
                                                          • Instruction Fuzzy Hash: 6E01D7B1900209DFDB14CF9AC54879EBFF5BF88360F24C169E928AB290C7758984CB94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 901bd90c6a577cd64ecc5a32f477c06e63c94d39837396c9e9411b661cd96792
                                                          • Instruction ID: 26a968e18fc56b34ab0f00d8b7ca7189b6d6a62adda58080fb38fffc18847d86
                                                          • Opcode Fuzzy Hash: 901bd90c6a577cd64ecc5a32f477c06e63c94d39837396c9e9411b661cd96792
                                                          • Instruction Fuzzy Hash: 5A010CB6900209DFDB15CF99C5857DDBFF1BF88320F24C559E9286B2A0C7768A84CB94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5d1a361f1853ac76bd41cd1843578529ea64e44649cdc31b358d353c54e95d96
                                                          • Instruction ID: 71c42fb566d624462a56ce1b82affe531636b3e0e37330b08177712d26386474
                                                          • Opcode Fuzzy Hash: 5d1a361f1853ac76bd41cd1843578529ea64e44649cdc31b358d353c54e95d96
                                                          • Instruction Fuzzy Hash: E5018175958248DFCB11CFA8D44599CBFB0EF4A321F2081D6E9659B362C6319A50CB41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.669973310.000000000097D000.00000040.00000001.sdmp, Offset: 0097D000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0af7f6d48ce66a17a93203d16fb0ba5eca29e54b2557bbeb34a9386becb227f2
                                                          • Instruction ID: 7419d47b1b021912f486b83047da9966398447814fc68975fc4ab82fbc259c63
                                                          • Opcode Fuzzy Hash: 0af7f6d48ce66a17a93203d16fb0ba5eca29e54b2557bbeb34a9386becb227f2
                                                          • Instruction Fuzzy Hash: 77F06272405244AFE7108A16DCC8BA2FFECEF95774F18C45AED085B286C3799C44CAB1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 62671106d35bfbadebf3b1156fb9dfe91cd6a3ec578cc533bee12c7a8e1e5f77
                                                          • Instruction ID: bd4ea1b1e03f5805f575743960b1b458a8633a3ab2bbec5ae61c8d9faf359672
                                                          • Opcode Fuzzy Hash: 62671106d35bfbadebf3b1156fb9dfe91cd6a3ec578cc533bee12c7a8e1e5f77
                                                          • Instruction Fuzzy Hash: 3C01B675A00208AFCB44DFA9C549A5DBFF1AF88310F05C0A5E9089B361EA349941CB41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d4d90bc76d22444dc15c691cc7963417969bb63c315e5f30cace49c578f08846
                                                          • Instruction ID: d4db1cf9f9dc506606bba452255fd65e5cc9c091b04f24dd7239a4f0f14a2700
                                                          • Opcode Fuzzy Hash: d4d90bc76d22444dc15c691cc7963417969bb63c315e5f30cace49c578f08846
                                                          • Instruction Fuzzy Hash: F9F0E2F2584159CBCB18DBE8F4816ECBFE0EB85235B2802D6EB2C47A51DB355482C7C2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c25dbbe2483147e77249a7341971e3e11e976c3119ebd1a1e889bdc5b7351e7e
                                                          • Instruction ID: 19ac2451786bda774b80bd8b23a706837095daecc65cbfdccec61f6cc2cb20cb
                                                          • Opcode Fuzzy Hash: c25dbbe2483147e77249a7341971e3e11e976c3119ebd1a1e889bdc5b7351e7e
                                                          • Instruction Fuzzy Hash: 38F082767082614FD3058B69A89186ABBF5EBC9261315816BE558CB392DA309D018791
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0a5c01072e1e6ea81e9da9cdb5b66a0ad8b55cd7460909a960a2a3ea318fd079
                                                          • Instruction ID: da99e3caddbbe3e4fd86b409d58faed5f95c5b00d8222873b88c16ccb5ec174a
                                                          • Opcode Fuzzy Hash: 0a5c01072e1e6ea81e9da9cdb5b66a0ad8b55cd7460909a960a2a3ea318fd079
                                                          • Instruction Fuzzy Hash: B101FFB0800619DFDB24CFA5C8047AE7AF5FF45350F548625E524AB2A0D7744A44CFD4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a9aa07fee07673cd27ea7ddf45cd9aa0e6d5668b4ce77f1c75d9ca3b19e06fba
                                                          • Instruction ID: d2633b5d02a76c72ec04e6cc0e88279917469172ea57bcfcd320e5bd8ec6db2c
                                                          • Opcode Fuzzy Hash: a9aa07fee07673cd27ea7ddf45cd9aa0e6d5668b4ce77f1c75d9ca3b19e06fba
                                                          • Instruction Fuzzy Hash: A5E06D727041246F5304DB6EEC84C6BBBEEEBCD6B4751813AF50CCB311DA309C0186A4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: db5e9d463fc15b39a49d2c0ea49d0eabaec9f56190cb61c6dbfc79a5d4f82ac0
                                                          • Instruction ID: 3f617886341c4ed300ee9850c6e8ccaa0ba8a3372d3480b949a8c09343f1599d
                                                          • Opcode Fuzzy Hash: db5e9d463fc15b39a49d2c0ea49d0eabaec9f56190cb61c6dbfc79a5d4f82ac0
                                                          • Instruction Fuzzy Hash: 4E011DB1C00619DFEB24CFA5C9047AE7AF1FF49320F548625E524AB2A0D7744A44CF94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5a3cbac53273fe34c5556a33da4784e08845f1c6d35b99455ea73ab458e086ad
                                                          • Instruction ID: 51407c61221934f228e234a131f6c5a275e99b58581f8c74e9c25a754ac8acd1
                                                          • Opcode Fuzzy Hash: 5a3cbac53273fe34c5556a33da4784e08845f1c6d35b99455ea73ab458e086ad
                                                          • Instruction Fuzzy Hash: 280128B0A002189FDB54DFA4CD80B9DB7B2BF89204F4085A5E00DBB724DB30AE85CF20
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c45cb222367ed3fa75e27f99b4139bd4d52de0f3f95fdcee342dfa787d84227f
                                                          • Instruction ID: d0e474d1907eeecd6d4ec0abe5c064bfdc096e5b92f24186428c350283aed7fb
                                                          • Opcode Fuzzy Hash: c45cb222367ed3fa75e27f99b4139bd4d52de0f3f95fdcee342dfa787d84227f
                                                          • Instruction Fuzzy Hash: 190142B8D1522ACFEB60DF54D989B99B7F1BB09340F0095E6E51DA3240D7349E808F11
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 430fab6596b1d93052087145c463502aaf9a3cc243a7fb326a5a924c5d9df158
                                                          • Instruction ID: 012529011fda295ee39d18eaef6f5b1fcea979b4c4f6b151a62fc80bc9fd11f3
                                                          • Opcode Fuzzy Hash: 430fab6596b1d93052087145c463502aaf9a3cc243a7fb326a5a924c5d9df158
                                                          • Instruction Fuzzy Hash: 06E0E5B4D15308EFCB14DFA8E44169DBBB4EB49301F10C0A9E919A3700DB355A90DF81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d130f084271dcaaa28e96f0be29d797c5eb61774bf231ef0a31a36ccd95cf5cf
                                                          • Instruction ID: 37352386b9d311f30e75743d54d281f7901fc3d67d3b1d0e8c4e051cba6cdd0d
                                                          • Opcode Fuzzy Hash: d130f084271dcaaa28e96f0be29d797c5eb61774bf231ef0a31a36ccd95cf5cf
                                                          • Instruction Fuzzy Hash: A5E04F74964208DFCB40DFA8D485A5CBFF4EB08305F1040E9E94997710D630AA40CB41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0f35f12da4be3cba75c7289816c696ca26acf837a4ac084ccd7ff10c1f20864a
                                                          • Instruction ID: a70e034e6bb49abe8c3d0a2376737c52e6685f31d21296870abb7a42a040b1fd
                                                          • Opcode Fuzzy Hash: 0f35f12da4be3cba75c7289816c696ca26acf837a4ac084ccd7ff10c1f20864a
                                                          • Instruction Fuzzy Hash: 50E0E5B8D55208EFCB04CFE4D0406ADBBB4FB49306F20C4AAE8196B700C7355A91DF41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 204baac8eedf58ba6681e41466b8af52f3378ccfcad47e3913c5499ec9eb4aed
                                                          • Instruction ID: 2ddab9a59ac7dc5096a389b0313b724da48c7ac5b9f8c34e3b02d8268a3a82d2
                                                          • Opcode Fuzzy Hash: 204baac8eedf58ba6681e41466b8af52f3378ccfcad47e3913c5499ec9eb4aed
                                                          • Instruction Fuzzy Hash: 98E0ECB496530CEFC744DFF8E44679DBFB4EB49301F2084A9E91993640EB315A90CA91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 459232cfda81dadedbfcfb8dbdca0ce6a8b3e282f9b271e46136dde83c74fa1d
                                                          • Instruction ID: 773ca52ecd4c7ef96a91a83726b373fd2bb4745f963344ca93eb50f50839c4fb
                                                          • Opcode Fuzzy Hash: 459232cfda81dadedbfcfb8dbdca0ce6a8b3e282f9b271e46136dde83c74fa1d
                                                          • Instruction Fuzzy Hash: 0CE0C9B0E5522C9FDB54DBA4CC41B9EB7B2FF86300F4186AAD106AB254E7345D40DF12
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0ac2ebc65c45611be5bab47321f5ebb7c214fc02f1f954f0c6570bfe0fcb0cd3
                                                          • Instruction ID: 2a162b190c43771c3e570392b592f3089a3267ee3de2834f4fecbfbf4e6f7cdf
                                                          • Opcode Fuzzy Hash: 0ac2ebc65c45611be5bab47321f5ebb7c214fc02f1f954f0c6570bfe0fcb0cd3
                                                          • Instruction Fuzzy Hash: D6E04FB4965208DFDB40CFD4C084A6CBFF4EB08305F1040DAE9599B710C7345940CB01
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 149169d213d7797034b11c9cc9954babb44f88952ac8ac794c986a0f5d4e6ee2
                                                          • Instruction ID: 0239fad24af103714e34c9feab96c88d95b68b75ec32921a190211d1c6198803
                                                          • Opcode Fuzzy Hash: 149169d213d7797034b11c9cc9954babb44f88952ac8ac794c986a0f5d4e6ee2
                                                          • Instruction Fuzzy Hash: 6CD0A7F5D011048FCB85DEA8F44458CB770EF26255B0241D2EC18AB120EB31C9119B91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.678803198.00000000078B0000.00000040.00000001.sdmp, Offset: 078B0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Cb
                                                          • API String ID: 0-3507451087
                                                          • Opcode ID: 810e59184b5746ecbb26eb7a228a728a86a9849f9dfc61d019080ab15822c9f4
                                                          • Instruction ID: 9591d45d0a52b64a2563b39f3df5e93cc7cca8be2c16ea92da74c10f78e308ae
                                                          • Opcode Fuzzy Hash: 810e59184b5746ecbb26eb7a228a728a86a9849f9dfc61d019080ab15822c9f4
                                                          • Instruction Fuzzy Hash: 25B126B0E052498FCB18CFA9C5456DEFBF2AF99314F28D12AD408EB359E7349902CB55
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.678803198.00000000078B0000.00000040.00000001.sdmp, Offset: 078B0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ?z#L
                                                          • API String ID: 0-296329399
                                                          • Opcode ID: 14b1b5fbb397bdf64b8a8e9e6d08af383c8aab118bb8d30a1520e93cb785f3a0
                                                          • Instruction ID: c3ad4809c874e6bd9ead3b0b2d53f96152b786ef9bc192dfaabaeff2c9e460cd
                                                          • Opcode Fuzzy Hash: 14b1b5fbb397bdf64b8a8e9e6d08af383c8aab118bb8d30a1520e93cb785f3a0
                                                          • Instruction Fuzzy Hash: AE614AB0E155699FDB24CF69C981A9EFBB2BB89304F14C1AAD408E7316DB309A41CF51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.678803198.00000000078B0000.00000040.00000001.sdmp, Offset: 078B0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ?z#L
                                                          • API String ID: 0-296329399
                                                          • Opcode ID: 3b090706f5d6d59c609212ade4dbdd95f95deb8c6255a516a3e37286ef1e8293
                                                          • Instruction ID: 0d48cfbfc4e02cf5c9d5b26fd205be1edd72fd95812c1675aad2222eb8e8b24d
                                                          • Opcode Fuzzy Hash: 3b090706f5d6d59c609212ade4dbdd95f95deb8c6255a516a3e37286ef1e8293
                                                          • Instruction Fuzzy Hash: E16146B0E1555A8FDB24CF69C981A9EFBF2BF89204F24C1A9D408EB316D7309A41CF51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.678803198.00000000078B0000.00000040.00000001.sdmp, Offset: 078B0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ?z#L
                                                          • API String ID: 0-296329399
                                                          • Opcode ID: 253ddbfb25dd7e55a9525f7e2da2887a152c94326c4fda5e10428395501a9350
                                                          • Instruction ID: 2d61a686151eca3889a3412712e0d771edba7b6b32c016f386cfe291b7c41706
                                                          • Opcode Fuzzy Hash: 253ddbfb25dd7e55a9525f7e2da2887a152c94326c4fda5e10428395501a9350
                                                          • Instruction Fuzzy Hash: BA613AB0E155599FDB24CF69C98169EFBF2BB89304F24C1AAD408E7316DB309A41CF51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ^m{T
                                                          • API String ID: 0-3931425326
                                                          • Opcode ID: 41fe2d7d1f11b59cd17bdf7cb0a175dca22c002efaae18cddb7bf020f60030b2
                                                          • Instruction ID: b4a46f1636259e4f96a3075ad3cfc4376d4ca7ec69c471cc3964e802e8cb3f60
                                                          • Opcode Fuzzy Hash: 41fe2d7d1f11b59cd17bdf7cb0a175dca22c002efaae18cddb7bf020f60030b2
                                                          • Instruction Fuzzy Hash: 4251F8B0E1520ADFCB08CFE9C5815AEFBB2BB89300F24D16AD525B7214D7349A418B95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.678803198.00000000078B0000.00000040.00000001.sdmp, Offset: 078B0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 2rW
                                                          • API String ID: 0-2165363109
                                                          • Opcode ID: 059648be260fe7aa8ee971eb0fa6c3dd1207df541c67d67023aba3d7ecd655f5
                                                          • Instruction ID: 5b47e18231cf9e5e81e723c2eacde3bc8850ee4f6b12244957f5b4d6ca715586
                                                          • Opcode Fuzzy Hash: 059648be260fe7aa8ee971eb0fa6c3dd1207df541c67d67023aba3d7ecd655f5
                                                          • Instruction Fuzzy Hash: 2E412BB0E152199BDB64CFA6D840B9EFBF2FB89304F14C0AAD508E7314EB305A858F51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.678803198.00000000078B0000.00000040.00000001.sdmp, Offset: 078B0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 2rW
                                                          • API String ID: 0-2165363109
                                                          • Opcode ID: 7b5180328a7f5da47d2ff0bc4f1a18ae3fb74eb5c694e7983b2ec982fc6af1d4
                                                          • Instruction ID: 4cc846092bccf2babdb47a4ee73d7ea2558cb63c96446abcdaf685e3ea852048
                                                          • Opcode Fuzzy Hash: 7b5180328a7f5da47d2ff0bc4f1a18ae3fb74eb5c694e7983b2ec982fc6af1d4
                                                          • Instruction Fuzzy Hash: 49414CB0E152199FDB68CF66D940B9EFBF2AF89304F14C0AAD508E7315EB305A858B51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: -
                                                          • API String ID: 0-2547889144
                                                          • Opcode ID: 5a87de5aa3c075afdc4fbf1291b8bf4abc70e600ae297c65d2b954815f7e55d5
                                                          • Instruction ID: fc5a02f23b7900d10db98a257c1c4feaeb1d192f341ef12aadac4a7696a6557d
                                                          • Opcode Fuzzy Hash: 5a87de5aa3c075afdc4fbf1291b8bf4abc70e600ae297c65d2b954815f7e55d5
                                                          • Instruction Fuzzy Hash: DC4123B1E156588BEB5DCF6B9C4078AFAF7BFC9200F14C1BAD54CAA254DB700A858F11
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681123532.0000000007B00000.00000040.00000001.sdmp, Offset: 07B00000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 31423f3934d20709ce48f756c5519c46a089a20b88581c3371b89f4554fc03f3
                                                          • Instruction ID: c56e748ad1f724364d38d47c1af03a07b81f9aec443cc559186e6e0b691d2ef7
                                                          • Opcode Fuzzy Hash: 31423f3934d20709ce48f756c5519c46a089a20b88581c3371b89f4554fc03f3
                                                          • Instruction Fuzzy Hash: 4F725CB4E00219CFDB10DFA8C984AADBBF1FF89304F1585A5D449AB295D730ADA1CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681123532.0000000007B00000.00000040.00000001.sdmp, Offset: 07B00000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 29c51f14aa0a0d2569d366193cdda1420a72bd3bfe36c398cbceb69c7f139fec
                                                          • Instruction ID: 96c8c4f1fe0fc56ed4d4992fe69411d59e6da387930b31f3ea53c6bea5a21d23
                                                          • Opcode Fuzzy Hash: 29c51f14aa0a0d2569d366193cdda1420a72bd3bfe36c398cbceb69c7f139fec
                                                          • Instruction Fuzzy Hash: A54260B0E042188FEB14DFA4C89479EBBF2EF89304F14C5A9D549AB385DB349945CBE1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.670748609.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 96cbbea6983c29d1a04875affd949920c8700b997e889221ea84a9b929f46476
                                                          • Instruction ID: 7cb4228d152ec54d31c6fc30ffcc646c54f46ea58bee4e9562a59ac5d20d29e7
                                                          • Opcode Fuzzy Hash: 96cbbea6983c29d1a04875affd949920c8700b997e889221ea84a9b929f46476
                                                          • Instruction Fuzzy Hash: F75214B1510B07CFD714CF56F888A997BA1FB44318B908318D162DBBA8D7B4798ACF64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681123532.0000000007B00000.00000040.00000001.sdmp, Offset: 07B00000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2e051568076904ed4cc4856afbcb007f39bf9142f366ce18db1ea050de37638e
                                                          • Instruction ID: 148ed23ade1ab14fecefaef70ea8dcf2c71e65fa5b7da58940080d7c33882f98
                                                          • Opcode Fuzzy Hash: 2e051568076904ed4cc4856afbcb007f39bf9142f366ce18db1ea050de37638e
                                                          • Instruction Fuzzy Hash: A2C15EB1E00259DFEF14CF64C88079DBFB1EF89300F14C6AAD549AB295E7309995CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c46ae3ba4941ac77ef0e87c5bd74aedf855022c0ed822e4fd53ea71a2ccd299c
                                                          • Instruction ID: 29d6eaf8cea54c6100e6f22f730948c07506382afe2772a2d05aae5cae1f57ae
                                                          • Opcode Fuzzy Hash: c46ae3ba4941ac77ef0e87c5bd74aedf855022c0ed822e4fd53ea71a2ccd299c
                                                          • Instruction Fuzzy Hash: 03D1EB31C20B5A8ACB10EB64D990ADDB7B1FF99300F50CB9AD1497B614EB706AC5CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.670748609.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2c3510ffd13f7bd96b481a683602505a088bc3af7258f529d999b513d94f6ed3
                                                          • Instruction ID: 46f1085f32e7bd6b9fc29310671f52186b1e644299f9a27608d727d615973a98
                                                          • Opcode Fuzzy Hash: 2c3510ffd13f7bd96b481a683602505a088bc3af7258f529d999b513d94f6ed3
                                                          • Instruction Fuzzy Hash: E1A18032E0061A8FCF05DFA5D9445DDBBB2FF85310B15856AE805BB221EB71E915CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 300f08093af0a62c56f9022830ab106fdc09f7616ea33bc48178dcde7a31620c
                                                          • Instruction ID: f6f60feb21bf36e0ca8427727e066c8265f4a61d81b9f38155ff01e368673451
                                                          • Opcode Fuzzy Hash: 300f08093af0a62c56f9022830ab106fdc09f7616ea33bc48178dcde7a31620c
                                                          • Instruction Fuzzy Hash: CDD1DB31C20B5A8ACB10EB64D990ADDB771FFD9300F50CB9AE1497B614EB706AC5CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 38393c7a7fd871170bd61e8585cb7c9e657ce9c68bff99f478703e646d15271f
                                                          • Instruction ID: a9361552393f1960d5eaeb1dd71447bd94d654aa54a764a54615fcfb19fea3c5
                                                          • Opcode Fuzzy Hash: 38393c7a7fd871170bd61e8585cb7c9e657ce9c68bff99f478703e646d15271f
                                                          • Instruction Fuzzy Hash: DA8103B4E112099FCB48CFA9D58099EFBF1FF89350F148566E528AB220D774AA41CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b71e2be6bea595b66a82c05341d4adf5f90ee8f1be7f65e60d3c953df2716848
                                                          • Instruction ID: 2854da4f7de72e3b11266fed9cf005ef6407d013cccf1e9d0763c3d65c3bf27a
                                                          • Opcode Fuzzy Hash: b71e2be6bea595b66a82c05341d4adf5f90ee8f1be7f65e60d3c953df2716848
                                                          • Instruction Fuzzy Hash: A27126B0E1520A9FCB04CFE5D4819AEFBB2FF89310F14952AE515A7315D7349A41CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.678803198.00000000078B0000.00000040.00000001.sdmp, Offset: 078B0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b29028cd2a276346eb3bfee7918b3d93968aa69f071090f5706acce0edac4fdb
                                                          • Instruction ID: e2ad2bf6ae57de363158dfa97ca1905ad54ace856841bbd95611683b85f3b1e0
                                                          • Opcode Fuzzy Hash: b29028cd2a276346eb3bfee7918b3d93968aa69f071090f5706acce0edac4fdb
                                                          • Instruction Fuzzy Hash: F06187B0E0520A8FDB08CFA9C5816EEFBF2EB99310F14D42AD515EB314D7349A418FA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b0ee84f7fa9529b5a4a80d3a68efb9c1828d0494698fcfbcb60c12e63af83dfe
                                                          • Instruction ID: 0760f715411d06488e9f74323e4bad458c66ee6e3691c308148eaa4abd977c8a
                                                          • Opcode Fuzzy Hash: b0ee84f7fa9529b5a4a80d3a68efb9c1828d0494698fcfbcb60c12e63af83dfe
                                                          • Instruction Fuzzy Hash: 9071E4B4E1925ACFCB04DFD9C5808AEFBB1FF89310F14852AE525A7214D334AA42CF95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3da86b379072689609796f841e767b209b680a29feecd1d5e658a21f6b23bf69
                                                          • Instruction ID: ff7d41118fb86786b38d9ad56bcb65e3ff9fd0bd0c8fae0f6cf135694f2bcb9a
                                                          • Opcode Fuzzy Hash: 3da86b379072689609796f841e767b209b680a29feecd1d5e658a21f6b23bf69
                                                          • Instruction Fuzzy Hash: 5A61AB70A146498FD745DFB9D84168A7FF3EB89304F04C87AE014DB366EF780A468B92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1d4144d0a4f9616c58968ff29260d7e82d35dec5fe9aad109739f97ef766ae98
                                                          • Instruction ID: e3ab05930f1c16168aa4c152fbc819d76b1f05910fc80348949a98dafa875653
                                                          • Opcode Fuzzy Hash: 1d4144d0a4f9616c58968ff29260d7e82d35dec5fe9aad109739f97ef766ae98
                                                          • Instruction Fuzzy Hash: 7D513870E1460C9FDB44EFA9E441B9E7BF3AB88304F04C839E1149B265EF7459469B92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.678803198.00000000078B0000.00000040.00000001.sdmp, Offset: 078B0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a23871c313f7c6c4500f8e9dcf4a9da6186bef99bfa01e68c009d4a41c6ad7b9
                                                          • Instruction ID: 7f37903722a7aa5df87334d1ae13b0471474e785ad60bc15c96939c31adc7b22
                                                          • Opcode Fuzzy Hash: a23871c313f7c6c4500f8e9dcf4a9da6186bef99bfa01e68c009d4a41c6ad7b9
                                                          • Instruction Fuzzy Hash: 8B515AB1E116188BDB68CF6B8D4479EFBF3AFC9300F14C1BA950CA6214DB341A858F51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.678803198.00000000078B0000.00000040.00000001.sdmp, Offset: 078B0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5498924d104ae8fe87fdb0e95572320d29a6cc63e099aed94cb0b4377ca835d5
                                                          • Instruction ID: 3024f8730f9c7535236b6e6c1ae75b12fbc5d0b048cbd646c4e1569c923938dd
                                                          • Opcode Fuzzy Hash: 5498924d104ae8fe87fdb0e95572320d29a6cc63e099aed94cb0b4377ca835d5
                                                          • Instruction Fuzzy Hash: FD4138B1D1520ADFCB08CFA9D8805EEBBF6FB99300F10D42AD415E7254EB789A058F52
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 58b103108e7c7dca2a259a0f0cfd9bf09d89988ada02851833a2e07b16d3872e
                                                          • Instruction ID: ea83e0b98170146fa8f094e6e94e903b43c8eef2af0cb25f751189fdadb75c63
                                                          • Opcode Fuzzy Hash: 58b103108e7c7dca2a259a0f0cfd9bf09d89988ada02851833a2e07b16d3872e
                                                          • Instruction Fuzzy Hash: C641E6B0E0420ADFCB48CFEAD5815AEFBF2BB89200F24D429D525B7264D7349A41CF94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.678803198.00000000078B0000.00000040.00000001.sdmp, Offset: 078B0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2f1a41b7e8104e58bc5ca892473dda4db9274969a8695b377d82090f9a858b2d
                                                          • Instruction ID: 4d1f3048319697103e30c242cd25e943b0fa4109ed1b115f9d1abe5efd67c08e
                                                          • Opcode Fuzzy Hash: 2f1a41b7e8104e58bc5ca892473dda4db9274969a8695b377d82090f9a858b2d
                                                          • Instruction Fuzzy Hash: 294139B1E116188FDB68CF6B8D4578EFBF3AFC9200F14C1BA950CA6264DB340A858F51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.678803198.00000000078B0000.00000040.00000001.sdmp, Offset: 078B0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cc7a679dbfe54716e8032fb0041224818d5fc590a4b18db3df580c67571987ec
                                                          • Instruction ID: 81212efbbb339e37048fc4bc45503fc743646bdec83d7531f5a02fb6ff2c4d21
                                                          • Opcode Fuzzy Hash: cc7a679dbfe54716e8032fb0041224818d5fc590a4b18db3df580c67571987ec
                                                          • Instruction Fuzzy Hash: 76417EB0E102198FDB58CF69C880B9DFBB2BB89300F14C0AAD909EB355DB345A458F51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.678803198.00000000078B0000.00000040.00000001.sdmp, Offset: 078B0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7adba3b6db7f1c085fc7f46309856af523fad01e35a4059715113313b8328e34
                                                          • Instruction ID: d1100abfb47b159e33466adef2417444b6ba063a51b65d15c6ad521be48e19ab
                                                          • Opcode Fuzzy Hash: 7adba3b6db7f1c085fc7f46309856af523fad01e35a4059715113313b8328e34
                                                          • Instruction Fuzzy Hash: 66410CB0E152198FDB68CF69D880BDDFBB2BBC8210F14C0AAD509E7354DB305A458F51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ffb8e996e91835388a8876a1393266ac984e5c5ff00840b3ef9369e27bc53064
                                                          • Instruction ID: d2ef0c2db4cb320505c25226907e21a360b7e8f1166203449dc84bfbfa61bc16
                                                          • Opcode Fuzzy Hash: ffb8e996e91835388a8876a1393266ac984e5c5ff00840b3ef9369e27bc53064
                                                          • Instruction Fuzzy Hash: 904123B1E156548BEB5DCF6B9C4078AFAF7BFC9200F14C1BAD54CAA258DB7006858F11
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.678803198.00000000078B0000.00000040.00000001.sdmp, Offset: 078B0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 22499c6a83e373af95bb854915d69e9416277a77aa8ed54de59021732b5001e6
                                                          • Instruction ID: 53602c3cb3c01ab617986c9acab5d77dbb1cc4ad41d017a8cf8e4f6846168127
                                                          • Opcode Fuzzy Hash: 22499c6a83e373af95bb854915d69e9416277a77aa8ed54de59021732b5001e6
                                                          • Instruction Fuzzy Hash: B33122B0C1521CCEDB24CFA8D8487EDBBB1AB0A304F10442AE505B7381CB785985CBA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.681075223.0000000007AF0000.00000040.00000001.sdmp, Offset: 07AF0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9331f7cd6997d39d4e68ea93b4268130cd9161ab6d6e894a63da7a958189aac0
                                                          • Instruction ID: ace82623a3924f8548711c913dde123f0bad0f2d444d5e7f48bde0af1c94db96
                                                          • Opcode Fuzzy Hash: 9331f7cd6997d39d4e68ea93b4268130cd9161ab6d6e894a63da7a958189aac0
                                                          • Instruction Fuzzy Hash: 961197B1E056188BEB18CFABD94169EFBF3AFC9201F04C07AD918A6268EB3405458E51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.678803198.00000000078B0000.00000040.00000001.sdmp, Offset: 078B0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b8f9c4875a917f75cbf29105336321f113546490017efd484ce580ca16352358
                                                          • Instruction ID: 7410ae1ba07d318199b54593ffde09f3a322b4f14ec9b0712b7c083b94e16487
                                                          • Opcode Fuzzy Hash: b8f9c4875a917f75cbf29105336321f113546490017efd484ce580ca16352358
                                                          • Instruction Fuzzy Hash: 191189B1E146188BEB5CCF6BD94469EFAF3AFC8200F14C17AC918B6258EB3405468F51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Executed Functions

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.909946557.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 51b4064f111b4277d2df377909fa6d275e26cafad00322a1e2c4b8747f67468a
                                                          • Instruction ID: a08d79f752c7ec702389c91b851ecb6187b5ba05a8ac8903645b393cc27902d1
                                                          • Opcode Fuzzy Hash: 51b4064f111b4277d2df377909fa6d275e26cafad00322a1e2c4b8747f67468a
                                                          • Instruction Fuzzy Hash: 57620871E046198FCB24EF78C9646DDB7F2AF89300F1185AAD549AB354EF309A85CF81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.909850617.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 36287c42b6b79ba139ee8eefacb3eee6c26c9bd10b18e6c0129f3e3561f6851f
                                                          • Instruction ID: 9027013c59876304c1d13368b6d955e6df6688660c560f0e3e7c61791b4e45a4
                                                          • Opcode Fuzzy Hash: 36287c42b6b79ba139ee8eefacb3eee6c26c9bd10b18e6c0129f3e3561f6851f
                                                          • Instruction Fuzzy Hash: E951A171A002059FCB54EBB4C858AEEB7F6BF84204F048969D5529B384EF75E805CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.909850617.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: d4f8e4b85a2633c3c8c2b60f6e318990aee784a24b88e852b5715cfbb2449074
                                                          • Instruction ID: bd2c78319217382020c5d4e8d91a97f6db01653250d929178ff8e2e4f34850d7
                                                          • Opcode Fuzzy Hash: d4f8e4b85a2633c3c8c2b60f6e318990aee784a24b88e852b5715cfbb2449074
                                                          • Instruction Fuzzy Hash: DA61FF31A042059FDB04EB74C858AAE7BF6BF85300F1485B9D592DF392EB75EC058BA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.909946557.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 915b996acfe92bf5e02dde187b17aca9da89c348c2c5f5395810753eb9994886
                                                          • Instruction ID: 578a604480d63855343dd005d1db565a7dd79c115765d99261d4f8650b7fd1c3
                                                          • Opcode Fuzzy Hash: 915b996acfe92bf5e02dde187b17aca9da89c348c2c5f5395810753eb9994886
                                                          • Instruction Fuzzy Hash: DF412572E083868FCB04CFB9D4402E9BBF1EF8A214F1589AAD554EB641DB789845CBD0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,011BBC1A), ref: 011BBD07
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.909946557.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false
                                                          Similarity
                                                          • API ID: GlobalMemoryStatus
                                                          • String ID:
                                                          • API String ID: 1890195054-0
                                                          • Opcode ID: 14f4bd9dc4f08b6ae20f6fd2e5fc714ac9edc02e54969188004fb8d3292eb4f0
                                                          • Instruction ID: 8bf186465deac5f1a224ba58dd5fcb1d0ea9be97d6180510a34bd454b2bcc94d
                                                          • Opcode Fuzzy Hash: 14f4bd9dc4f08b6ae20f6fd2e5fc714ac9edc02e54969188004fb8d3292eb4f0
                                                          • Instruction Fuzzy Hash: E71130B1C042199FCB00CF9AD484BDEFBF4BB48224F15812AE918B7600D3B8A944CFE5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.909761302.000000000109D000.00000040.00000001.sdmp, Offset: 0109D000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f8fa07084fa1799e2397756ef39737d9558cdbc964800c494745c99646b3b742
                                                          • Instruction ID: 7e3cd9243a7f053794d8316b8faac45daf0d028bdd39acb618bccd0172732aac
                                                          • Opcode Fuzzy Hash: f8fa07084fa1799e2397756ef39737d9558cdbc964800c494745c99646b3b742
                                                          • Instruction Fuzzy Hash: 742145B1544200DFCF14CF54D8D4B1ABBA1FB84354F20C9ADE9894B246C336D807DB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.909761302.000000000109D000.00000040.00000001.sdmp, Offset: 0109D000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 21dbda9fffde9beb189af7165341122266bd3c9337f42a4093e234a02c9dbdce
                                                          • Instruction ID: 7535d2a08937603be6a3d18b34154745a60a5c11cb22f65903b0d10816d60c96
                                                          • Opcode Fuzzy Hash: 21dbda9fffde9beb189af7165341122266bd3c9337f42a4093e234a02c9dbdce
                                                          • Instruction Fuzzy Hash: BB11EE75544280CFCB12CF54D5D4B15BBA1FB84314F28C6AAE8494B656C33AD40ACBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions